Re: AW: signature portability / C14N / inherited namespaces from Donald E. Eastlake 3rd on 2001-05-31 (w3c-ietf-xmldsig@w3.org from April to June 2001)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Thu, 31 May 2001 09:56:00 -0400
To: "Gregor Karlinger" <gregor.karlinger@iaik.at>
cc: <w3c-ietf-xmldsig@w3.org>
Message-Id: <200105311356.JAA0000032048@torque.pothole.com>

Gregor,

We need to fix this problem somehow. If we are going to stop inherited
namespaces from flowing down into signed material, whether it is
signed XML data or SignedInfo, but those namespace declarations are
still needed, then we need to do something to be sure they are still
there.

Sticking with the current C14N but cutting out the part to be
canonicalized with DOM or something before it is canonicalized, I
would have said we would need to also tell people to explicitly
declare any needed namespaces in the data, at the apex of the piece of
XML to be canonicalized, not in the Transform.

Donald

From:  "Gregor Karlinger" <gregor.karlinger@iaik.at>
To:  "merlin" <merlin@baltimore.ie>,
            "Gregor Karlinger" <gregor.karlinger@iaik.at>
Cc:  <w3c-ietf-xmldsig@w3.org>
Date:  Thu, 31 May 2001 09:21:24 +0200
Message-ID:  <LBEPJAONIMDADHFHAEAOGECNCGAA.gregor.karlinger@iaik.at>
In-Reply-To:  <20010524121300.46F9044C71@yog-sothoth.ie.baltimore.com>

>Merlin,
>
>> Hi Gregor,
>>
>> r/gregor.karlinger@iaik.at/2001.05.24/14:08:19
>> >  I have not thought a lot about the consequences of the following idea,
>> >  but anyway: Should we add an additional rule both to the processing
>> >  rules for signature generation and validation, that the SignedInfo
>> >  element should be isolated from its context prior to computing
>> >  the canonicalized representation?
>>
>> Unfortunately we can't isolate SignedInfo. An XPath/XSLT Transform
>> can legitimately rely on inherited namespaces. I have a queued
>> followup to my earlier question on this topic, I just need to
>> finish it.
>>
>> Merlin
>
>Yes, some transforms could rely on inherited namespaces. But if we change
>the processing model slightly, we can cope with this problem: Simply
>state that all namespaces that are used in a transform MUST be declared
>in the Transform element.
>
>Liebe Gruesse/Regards,
>---------------------------------------------------------------
>DI Gregor Karlinger
>mailto:gregor.karlinger@iaik.at
>http://www.iaik.at
>Phone +43 316 873 5541
>Institute for Applied Information Processing and Communications
>Austria
>---------------------------------------------------------------

Received on Thursday, 31 May 2001 09:56:50 UTC