- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Mon, 04 Jun 2001 00:00:33 -0400
- To: "John Boyer" <JBoyer@PureEdge.com>
- cc: <w3c-ietf-xmldsig@w3.org>
Hi John,
I don't particularly want to get into this complex area. However, If
an XPath transform were limited to just diddling namespace declaration
presence or absence, then it strikes me you are using a wrecking ball
to kill a mosquito.
I consider having separate DigestValue elements a feature absolutely
necessary to Manifest and of use in SignedInfo in finding out what
went wrong if a signature fails.
Donald
From: "John Boyer" <JBoyer@PureEdge.com>
Date: Thu, 31 May 2001 09:13:35 -0700
Message-ID: <7874BFCCD289A645B5CE3935769F0B520C33E4@tigger.PureEdge.com>
To: "Gregor Karlinger" <gregor.karlinger@iaik.at>,
"Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: <w3c-ietf-xmldsig@w3.org>
>Hi Gregor and Donald,
>
>Obviously, I would be an advocate for adding an XPath transform to the
>C14N transform. I proposed this at our third FtF, but it made some
>people nervous at the time (and I can understand that; better safe than
>sorry). However, I think we all know now that the procedure is quite
>safe provided the following additional step is taken: after a c14n
>transform's xpath transform, add an implicit transform that ensures the
>signature element and all of its descendant elements, attributes, and at
>least the xmldsig namespace are in the resultant node-set. W.r.t. the
>problem you are trying to solve, this limits the scope of the XPath to
>namespace filtering, but with same document signatures, it eliminates
>the need to have a separate Reference, do a double hash calculation,
>etc.
>
>Cheers,
>John Boyer
>
>
Received on Monday, 4 June 2001 00:01:36 UTC