W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2001

Re: Enveloped-signature games with pre-c14n

From: merlin <merlin@baltimore.ie>
Date: Mon, 03 Sep 2001 18:06:26 +0100
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Cc: Joseph Reagle <reagle@w3.org>, w3c-ietf-xmldsig@w3.org
Message-Id: <20010903170626.E485044497@yog-sothoth.ie.baltimore.com>


If we really want to clarify the point, I'd suggest simply appending a
sentence to 6.6.4 along the lines of: "This transform may only be applied
to a node-set from its parent XML document." Or something like that.

XPath already defines this use of here() as an error.


>Hi Joseph,
>> Christian/Merlin, I don't recall, did we ever resolve this proposal?
>I actually don't know. For me, it reads like :
>  "It's not possible to apply Transforms that produce octet
>   stream output (like base64 or c14n) prior to
>   #enveloped-signature transform or an #xpath transform
>   that uses the here() function. Additionally, it's not
>   possible to apply #enveloped-signature transform or an
>   #xpath transform that uses here() to a non-local URI."
>But I am not sure whether this is correct.
>Dialog modified for readability:
>>>>>> If you perform c14n/reparse, then you have a new document.
>>>>>> Merlin
>>>>> Sorry fo bugging again. Could this be done by saying in the spec:
>>>>>   "It's not possible to apply Transforms that produce octet
>>>>>    stream output (like base64 or c14n) prior to
>>>>>    #enveloped-signature transform or an #xpath transform
>>>>>    that uses the here() function."
>>>>> Would this make sense?
>>>>> Christian
>>>> That doesn't cover the case of applying the transform to a non-local
>>>> URI. At most, a sentence saying that enveloped signature cannot be
>>>> applied to a resource other than a node set from the original signature
>>>> document. Given that the usage seems nonsensical, I'm not sure that
>>>> even this is really necessary.
>>>> Merlin
>>> But if I apply #enveloped-signature #xpath with here()-usage to a
>>> non-local URI, this is an error, isn't it?
>>> Christian
>> Hi Christian, It is. Your statement merely disallowed
>> certain transforms, not certain URIs.
>> Merlin
>Mit freundlichen Gr=FC=DFen,
>Christian Geuer-Pollmann
>Institute for Data Communications Systems             University of Siegen
>Hoelderlinstrasse 3                 D-57068 Siegen                 Germany
>mail:  mailto:geuer-pollmann@nue.et-inf.uni-siegen.de
>web:  <http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/>

Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
Received on Monday, 3 September 2001 13:07:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:36 UTC