W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

AW: New proposed fix for here()

From: Gregor Karlinger <gregor.karlinger@iaik.at>
Date: Wed, 16 Aug 2000 09:13:32 +0200
To: "John Boyer" <jboyer@PureEdge.com>
Cc: "XML" <w3c-ietf-xmldsig@w3.org>
Message-ID: <NDBBIMACDKCOPBLEJCCDMEKACJAA.gregor.karlinger@iaik.at>
Hi John,

<Petteri>

> I like John's proposal of calculating the XPath expression identifying the
> Signature element.

</Petteri>

I agree with Petteri; your proposal to add the XPath expression calculation
to the processing model seems to be the first solution which need not be
described
as a hack.

> Actually, the thing I don't understand is why we have an
> enveloped transform
> at all.  Clearly, it is not a transform like the others, and we've tried
> hack after hack to get it to work-- without success.  My original thoughts
> on enveloped signatures is that they would be done by XPath
> transforms that
> were specific to the document.

Applause, Applause ;-)

>
> The only thing I can figure out is that XPath is recommended, not
> required.
> But is that such a big deal.  We recommend XPath because you can do
> enveloped signatures without it, but we don't require it because many can
> get by without enveloped signatures.  If you want enveloped
> signatures, then
> implement the XPath transform and be done with it.  Then, you can
> write the
> XPath expression that omits the Signature by taking into account what
> Transforms you've put beforehand.
>
> Still, I'll keep thinking about this and bring it up on the
> teleconference.

I am completely with you regarding this issue. People which would like
to use enveloped signatures should utilize a XPath transform taking into
account the very special architecture of the regarding XML document. This
was the way of thinking most of us had (and I personally still have) until
the introduction of the enveloped signature transform.

To summarize my position:

1. Try to get rid of the enveloped signature transform and state that the
   XPath transfrom is required if people would like to deploy enveloped
   signatures.

2. If there are a lot of people who want to preserve the enveloped signature
   transform, then I would vote for your proposal to include the XPath
   expression computation in the processing model.

Regards, Gregor
---------------------------------------------------------------
Gregor Karlinger
mailto://gregor.karlinger@iaik.at
http://www.iaik.at
Phone +43 316 873 5541
Institute for Applied Information Processing and Communications
Austria
---------------------------------------------------------------
Received on Wednesday, 16 August 2000 03:13:12 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT