Re: signature portability / C14N / inherited namespaces

r/JBoyer@PureEdge.com/2001.05.16/11:22:33
>[...]
>Actually, it does not.  
>
>"will be rendered to the canonical form with namespace declarations that
>***may*** have been made in its omitted ancestors, thus preserving the
>meaning of the element."
>
>The intent of the sentence is only to communicate that when you c14n
>(and subsequently sign) an element within a document (or any doc subset)
>rather than the whole document, then the doc-subset may contain
>namespaces from ancestors even if you've omitted the ancestor elements
>themselves.  However, if your XPath expression explicitly omits certain
>namespace nodes (possibly indirectly, by only keeping namespace nodes
>meeting a specific criterion), then they are omitted. See the Namespace
>Axis processing method in the Processing Model (Section 2.3).  A
>namespace node is processed if it is in the axis AND in the node-set.

Unfortunately XPath does not successfully address the problem
of _signature_ portability. The signed info is canonicalized
directly with no transforms (for obvious reasons), so there
is no way to omit unwanted namespaces in this case.

However, I see no alternative to simply deparenting embedded
signed documents before verification, if that does indeed work.

Merlin


-----------------------------------------------------------------------------
Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
   http://www.baltimore.com

Received on Wednesday, 16 May 2001 17:20:07 UTC