W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: namespace question

From: Kevin Regan <kevinr@valicert.com>
Date: Wed, 12 Jul 2000 12:32:33 -0700 (PDT)
To: "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: w3c-ietf-xmldsig@w3.org
Message-id: <Pine.SOL.4.21.0007121222390.3595-100000@bugs.valicert.com>

This brings up a few other issues.  If the namespace declarations of the
parents of the Signature node are to be included in the canonicalization,
you can not simply create a single signature and place it in multiple
locations within the final document.  You would have to compute the
signature multiple times, in a context-sensitive way, even if the two
signatures signed the same set of references.

Also, we have to look at what this means for Object elements
being signed.  In this case, the Signature object must be
created, with its associated namespace declarations and
the digests of Objects must be computed, taking into account
the namespace declarations of the Signature element as well
as its parent elements.

Now, let us apply this to nested signatures (a Signature element
within an Object element of another Signature element).  In this
event, how was the nested Signature element created?  Normally,
it seems to be the case that a nested signature was created by
simply grabbing that signature from somewhere else (it had already
been created), and placing that in an Object element of another
signature.  This would not be possible if signatures are
context-sensitive.

I'm wondering if it would make sense to terminate the namespace
declaration search at the Signature and Object element boundaries.
In this case, we avoid the various problems above.

--Kevin


On Wed, 12 Jul 2000, Kevin Regan wrote:

> 
> When signing a portion of an XML document (and Element and its
> children), it is necessary to have the entire document in order
> to determine the namespace declarations of the parents of the
> Element.
> 
> An XML Signature represents only a portion of a document.
> Once the Signature element and its children are created,
> it will be inserted somewhere in an XML document.
> Therefore, it may not be known in advance what the parent
> Element of the Signature element will be.
> 
> My question is, when canonicalizing the Signature element
> to compute the SignatureValue, is it necessary to include
> the namespace declarations of the parents of the Signature
> element.  If so, it is necessary to know where in the enclosing
> XML document that the newly generated signature will be inserted.
> 
> --Kevin 
> 
> 
> > This is done such that you can move a signature and ensure its
> namespace
> > context is taken with it.
> > 
> >  >  What I'm not exactly clear on
> >  >is if this applies to the actual Signature element for the signature
> > being
> >  >created.
> > 
> > I don't quite follow...
> > 
> >  >I don't think that it does (I don't believe that you need to
> >  >look at the parent elements of the Signature element to determine
> > their
> >  >namespace declarations)?  Is this correct?  If not, wouldn't it mean
> > that
> >  >the insertion point for the Signature element must be known in
> advance
> > so
> >  >that these declarations can be obtained?  Are there any differences
> > for
> >  >detached, enveloped, or enveloping signatures?
> > 
> > What do you mean known in advance?
> >  
> > 
> > _________________________________________________________
> > Joseph Reagle Jr.   
> > W3C Policy Analyst                mailto:reagle@w3.org
> > IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
> > 
> 
Received on Wednesday, 12 July 2000 15:32:31 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT