W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2001

Re: Enveloped-signature games with pre-c14n

From: merlin <merlin@baltimore.ie>
Date: Mon, 03 Sep 2001 18:06:26 +0100
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Cc: Joseph Reagle <reagle@w3.org>, w3c-ietf-xmldsig@w3.org
Message-Id: <20010903170626.E485044497@yog-sothoth.ie.baltimore.com>

Hi,

If we really want to clarify the point, I'd suggest simply appending a
sentence to 6.6.4 along the lines of: "This transform may only be applied
to a node-set from its parent XML document." Or something like that.

XPath already defines this use of here() as an error.

Merlin

r/geuer-pollmann@nue.et-inf.uni-siegen.de/2001.09.01/17:40:25
>Hi Joseph,
>
>> Christian/Merlin, I don't recall, did we ever resolve this proposal?
>
>I actually don't know. For me, it reads like :
>
>  "It's not possible to apply Transforms that produce octet
>   stream output (like base64 or c14n) prior to
>   #enveloped-signature transform or an #xpath transform
>   that uses the here() function. Additionally, it's not
>   possible to apply #enveloped-signature transform or an
>   #xpath transform that uses here() to a non-local URI."
>
>But I am not sure whether this is correct.
>Christian
>
>
>Dialog modified for readability:
>
>>>>>> If you perform c14n/reparse, then you have a new document.
>>>>>> Merlin
>
>>>>> Sorry fo bugging again. Could this be done by saying in the spec:
>>>>>
>>>>>   "It's not possible to apply Transforms that produce octet
>>>>>    stream output (like base64 or c14n) prior to
>>>>>    #enveloped-signature transform or an #xpath transform
>>>>>    that uses the here() function."
>>>>> Would this make sense?
>>>>> Christian
>
>>>> That doesn't cover the case of applying the transform to a non-local
>>>> URI. At most, a sentence saying that enveloped signature cannot be
>>>> applied to a resource other than a node set from the original signature
>>>> document. Given that the usage seems nonsensical, I'm not sure that
>>>> even this is really necessary.
>>>> Merlin
>
>>> But if I apply #enveloped-signature #xpath with here()-usage to a
>>> non-local URI, this is an error, isn't it?
>>> Christian
>
>> Hi Christian, It is. Your statement merely disallowed
>> certain transforms, not certain URIs.
>> Merlin
>
>
>
>
>Mit freundlichen Gr=FC=DFen,
>
>Christian Geuer-Pollmann
>
>
>--------------------------------------------------------------------------
>Institute for Data Communications Systems             University of Siegen
>Hoelderlinstrasse 3                 D-57068 Siegen                 Germany
>
>mail:  mailto:geuer-pollmann@nue.et-inf.uni-siegen.de
>web:  <http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/>
>


-----------------------------------------------------------------------------
Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
   http://www.baltimore.com
Received on Monday, 3 September 2001 13:07:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:36 UTC