W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: enveloped-signature algorithm

From: Kevin Regan <kevinr@valicert.com>
Date: Fri, 07 Jul 2000 21:31:58 -0700 (PDT)
To: "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: w3c-ietf-xmldsig@w3.org
Message-id: <Pine.SOL.4.21.0007072128310.23413-100000@bugs.valicert.com>


Hmm, It doesn't look (from the DTD) like a Signature
element can contain another Signature element.  The
content of Object is:

<!ENTITY % Object.ANY '(#PCDATA|SignatureProperties|Manifest)*'>

In this case, it does not seem like the enveloping-signature
adds anything.  I might be wrong in thinking that Signature
elements can not nest.  Can they?

If they can not, there does not seem to be any case where
you would get to the Signature element and want to include
it in the signature calculation.  If this is the case,
the enveloping-signature algorithm seems worthless...

--Kevin

On Fri, 7 Jul 2000, Joseph M. Reagle Jr. wrote:

> At 16:45 2000-07-07 -0700, Kevin Regan wrote:
>  >
>  >Is it necessary to have the:
>  >
>  >http://www.w3.org/2000/02/xmldsig#enveloping-signature
>  >
>  >algorithm?  Can't this simply be implied?  When would you
>  >not want to exclude the enveloped Signature element from
>  >the canonicalization step?  It seems like additional
>  >complexity that is not really needed.
>  
> It isn't necessary for external or enveloped Signatures. Having it
> implied
> buys little but potential ambiguity. Consider the behavior of a
> canonicalization algorithm where this is implied and one is dealing with
> nested enveloped/enveloping Signatures. John's approach of
> distinguishing
> between evaluating-expressions-as-transforms, such as Signature's
> enveloping
> signature:
> 
>    <XPath xmlns:dsig="&dsig;">
>    (//. | //@* | //namespace::*)
>    [
>    count(ancestor-or-self::dsig:Signature |
> here()/ancestor::dsig:Signature[1]) >
>    count(ancestor-or-self::dsig:Signature)
>    ]
>    </XPath>
> 
> or canonicalization's internal/default:
> 
>         (//. | //@* | //namespace::*)[not(self::comment())] )
> 
> and actual node-set ordering to UTF-8 conversion is quite slick IMHO.
> 
> _________________________________________________________
> Joseph Reagle Jr.   
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
> 
Received on Saturday, 8 July 2000 00:31:58 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT