W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2001

Re: XML validation clarification?

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Mon, 22 Jan 2001 12:43:06 -0500
Message-Id: <200101221743.MAA0000041575@torque.pothole.com>
To: "Frederick J. Hirsch" <hirsch@caveosystems.com>
cc: <w3c-ietf-xmldsig@w3.org>

Your observations generally seem correct and could be used as
arguments for generating detached signatures and defining a new
document type to include a signed document and the signature or
arguements for other things such as not using validating parsers or
defining document to provide for signature from the beginning or
whatever...

Donald

From:  "Frederick J. Hirsch" <hirsch@caveosystems.com>
To:  <w3c-ietf-xmldsig@w3.org>
Date:  Sun, 21 Jan 2001 16:17:14 -0500
Message-ID:  <NEBBLPMKCKBLFHBJIHPCGEHHCIAA.hirsch@caveosystems.com>

>I would like to clarify how XML validation works with XML Digital Signatures
>(also applicable to confidentiality). [Is there a more appropriate place to
>raise such a topic?]
>
>If I have an XML document with an associated DTD or schema, I may validate that
>document.
>The document might be
><info>
><item>abc</item>
></info>
>
>If I decide to sign that document I may use a detached signature or an enveloped
>or enveloping signature.
>
>If I use a detached signature I may continue to validate the document since the
>signature is an independent XML document. I may also validate the signature
>document, using the apropriate DTD or schema which takes into account
>SignatureProperties.
>
>I may also decide to create another XML document which includes both the
>original document element and the signature element - I can validate this
>combined document against a DTD or schema. This schema may refer to the original
>schemas for the original document and signature (as is done in the P3P profile),
>or for a DTD I may have to write a new one. Although the two documents are
>together, the signature reference will refer to the independent original
>document URI and not provide a fragment reference to the content in the combined
>document, so it won't be really fully self-contained.
><binding>
><info>...<info>
><Signature>...<Reference URL="http://somewhere/foo.xml">..</Signature>
></binding>
>
>If I create an enveloped signature, this means that when I sign the original XML
>document the  signature element is added to the document. Thus the original
>document becomes:
>
><info>
><item>abc</item>
><Signature>...<Reference URI="">...</Signature>
></info>
>
>In this case the reference URI refers to the actual XML document which includes
>the signature. This document will no longer validate unless the original
>document DTD or schema included an optional signature definition. Namespaces
>prevent name collisions but do not address the validation issue. Even if I have
>a namespace aware validating parser, this parser would still need both schemas
>and even then would not be able to validate this combined document - since the
>individual schemas would say nothing about how the two documents are combined
>(is that true?)
>
>Is this an argument for generally using detached signatures and then defining
>and creating new combination documents (as done in the P3P profile)? Is there a
>free validating parser which can validate enveloped signatures?
>
>thanks
>
>< Frederick
Received on Monday, 22 January 2001 12:43:02 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:12 GMT