- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Mon, 22 Jan 2001 12:43:06 -0500
- To: "Frederick J. Hirsch" <hirsch@caveosystems.com>
- cc: <w3c-ietf-xmldsig@w3.org>
Your observations generally seem correct and could be used as arguments for generating detached signatures and defining a new document type to include a signed document and the signature or arguements for other things such as not using validating parsers or defining document to provide for signature from the beginning or whatever... Donald From: "Frederick J. Hirsch" <hirsch@caveosystems.com> To: <w3c-ietf-xmldsig@w3.org> Date: Sun, 21 Jan 2001 16:17:14 -0500 Message-ID: <NEBBLPMKCKBLFHBJIHPCGEHHCIAA.hirsch@caveosystems.com> >I would like to clarify how XML validation works with XML Digital Signatures >(also applicable to confidentiality). [Is there a more appropriate place to >raise such a topic?] > >If I have an XML document with an associated DTD or schema, I may validate that >document. >The document might be ><info> ><item>abc</item> ></info> > >If I decide to sign that document I may use a detached signature or an enveloped >or enveloping signature. > >If I use a detached signature I may continue to validate the document since the >signature is an independent XML document. I may also validate the signature >document, using the apropriate DTD or schema which takes into account >SignatureProperties. > >I may also decide to create another XML document which includes both the >original document element and the signature element - I can validate this >combined document against a DTD or schema. This schema may refer to the original >schemas for the original document and signature (as is done in the P3P profile), >or for a DTD I may have to write a new one. Although the two documents are >together, the signature reference will refer to the independent original >document URI and not provide a fragment reference to the content in the combined >document, so it won't be really fully self-contained. ><binding> ><info>...<info> ><Signature>...<Reference URL="http://somewhere/foo.xml">..</Signature> ></binding> > >If I create an enveloped signature, this means that when I sign the original XML >document the signature element is added to the document. Thus the original >document becomes: > ><info> ><item>abc</item> ><Signature>...<Reference URI="">...</Signature> ></info> > >In this case the reference URI refers to the actual XML document which includes >the signature. This document will no longer validate unless the original >document DTD or schema included an optional signature definition. Namespaces >prevent name collisions but do not address the validation issue. Even if I have >a namespace aware validating parser, this parser would still need both schemas >and even then would not be able to validate this combined document - since the >individual schemas would say nothing about how the two documents are combined >(is that true?) > >Is this an argument for generally using detached signatures and then defining >and creating new combination documents (as done in the P3P profile)? Is there a >free validating parser which can validate enveloped signatures? > >thanks > >< Frederick
Received on Monday, 22 January 2001 12:43:02 UTC