W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: enveloped-signature algorithm

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Fri, 07 Jul 2000 21:45:51 -0400
Message-Id: <>
To: Kevin Regan <kevinr@valicert.com>
Cc: w3c-ietf-xmldsig@w3.org
At 16:45 2000-07-07 -0700, Kevin Regan wrote:
 >Is it necessary to have the:
 >algorithm?  Can't this simply be implied?  When would you
 >not want to exclude the enveloped Signature element from
 >the canonicalization step?  It seems like additional
 >complexity that is not really needed.
It isn't necessary for external or enveloped Signatures. Having it implied
buys little but potential ambiguity. Consider the behavior of a
canonicalization algorithm where this is implied and one is dealing with
nested enveloped/enveloping Signatures. John's approach of distinguishing
between evaluating-expressions-as-transforms, such as Signature's enveloping

   <XPath xmlns:dsig="&dsig;">
   (//. | //@* | //namespace::*)
   count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >

or canonicalization's internal/default:

        (//. | //@* | //namespace::*)[not(self::comment())] )

and actual node-set ordering to UTF-8 conversion is quite slick IMHO.

Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
Received on Friday, 7 July 2000 21:47:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:34 UTC