Re: What is the appropriate way to interpret URI's in the XML signed document.

From:  "XML DSig" <xmldsig@hotmail.com>
X-Originating-IP:  [196.1.104.84]
To:  w3c-ietf-xmldsig@w3.org
Date:  Mon, 12 Feb 2001 10:46:31 +0530
Message-ID:  <F1816Cw9fClNfnXafBZ00009606@hotmail.com>

>Hi:
>
>In the signed XML documents such as this:
>-----------------
><?xml version='1.0' encoding='UTF-8'?>
><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>  <SignedInfo>
>    <CanonicalizationMethod 
>Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000119"/>
>    <SignatureMethod 
>Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
>    <Reference URI="file:///E:/Code/XSS4JPoC/SimpleSigningPoC/personal.xml">
>      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>      <DigestValue>sNiXgt6+NHWnE+Mwn+ZZfoPPEwE=</DigestValue>
>    </Reference>
>  </SignedInfo>
>  <SignatureValue>
>    bO6TFCw+JLYDwbrMYFxW+CeJBZlDotPuDXbMu4d+Jz6tmANuGzxtAw==
>  </SignatureValue>
>  <KeyInfo>
>    <KeyValue>
>      <DSAKeyValue>
>
>-----------------
>[using IBM XSS4J]
>
>we find there are URI's mentioned corresponding to the algorithm.
>
>I would like to know
>
>1) What do these URI's correspond to and what do the mean in the real life 
>implementation scenario ?

Algorithm identifying URIs correspond to algorithms.  This standard
isn't about "meaning".  What do you mean when you ask what they
"mean"?  Those specified in the XML DSIG document refer to the
algorithms given.  Other URIs can correspond to the same or different
algorithms.  Things are currently set up so that if you dereferenced
them, you get to human readable English text.

>2) Is it appropriate to interpret the URI's as "keys" whose values 
>correspond to java "class" which is the implementation of the actual 
>algorithm ?

From another point of view, these URIs are just character strings that
happen to meet the URI syntax constraints.  As such, if you felt like
using them as some sort of index or key into some table in some
implementation, I don't see why you shouldn't.  I don't off hand know
what syntax constraints there are on java class names.

>3) There seems to be no reference to the XML Schema / DTD in the document, 
>so how does one validate it ?

The signature Schema and DTD are referenced from the XML-Signature
Syntax and Processing document if you want to use them as part of a
rule driven syntax check.  A validating parser is not required.
(Note: The word "valid" is used in the standard for signature
validity, not XML validity.)

>4) There is a reference to the XMLDSIG namespace, should the recipient 
>application expect to find the XMLSchema corresponding to the XML Signed 
>document at the given URI ?

Why haven't you simply tried dereferencing it?  All this stuff is
currenlty set up to get you to the English human readable
XML-Signature Syntax and Processing document.

Donald

>I would appreciate if some members of the list would share their insight on 
>this.
>
>Thanks in advance.
>
>-XMLDSig.

Received on Monday, 12 February 2001 09:27:43 UTC