W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2001

Re: Enveloped-signature games with pre-c14n

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Tue, 04 Sep 2001 07:25:55 +0200
To: merlin <merlin@baltimore.ie>
Cc: Joseph Reagle <reagle@w3.org>, w3c-ietf-xmldsig@w3.org
Message-ID: <3155942629.999588355@pinkpanther>
Hi,

> If we really want to clarify the point, I'd suggest simply appending a
> sentence to 6.6.4 along the lines of: "This transform may only be applied
> to a node-set from its parent XML document." Or something like that.
>
> XPath already defines this use of here() as an error.

This looks good.


>
> Merlin
>
> r/geuer-pollmann@nue.et-inf.uni-siegen.de/2001.09.01/17:40:25
>> Hi Joseph,
>>
>>> Christian/Merlin, I don't recall, did we ever resolve this proposal?
>>
>> I actually don't know. For me, it reads like :
>>
>>  "It's not possible to apply Transforms that produce octet
>>   stream output (like base64 or c14n) prior to
>>   #enveloped-signature transform or an #xpath transform
>>   that uses the here() function. Additionally, it's not
>>   possible to apply #enveloped-signature transform or an
>>   #xpath transform that uses here() to a non-local URI."
>>
>> But I am not sure whether this is correct.
>> Christian
>>
>>
>> Dialog modified for readability:
>>
>>>>>>> If you perform c14n/reparse, then you have a new document.
>>>>>>> Merlin
>>
>>>>>> Sorry fo bugging again. Could this be done by saying in the spec:
>>>>>>
>>>>>>   "It's not possible to apply Transforms that produce octet
>>>>>>    stream output (like base64 or c14n) prior to
>>>>>>    #enveloped-signature transform or an #xpath transform
>>>>>>    that uses the here() function."
>>>>>> Would this make sense?
>>>>>> Christian
>>
>>>>> That doesn't cover the case of applying the transform to a non-local
>>>>> URI. At most, a sentence saying that enveloped signature cannot be
>>>>> applied to a resource other than a node set from the original
>>>>> signature document. Given that the usage seems nonsensical, I'm not
>>>>> sure that even this is really necessary.
>>>>> Merlin
>>
>>>> But if I apply #enveloped-signature #xpath with here()-usage to a
>>>> non-local URI, this is an error, isn't it?
>>>> Christian
>>
>>> Hi Christian, It is. Your statement merely disallowed
>>> certain transforms, not certain URIs.
>>> Merlin
>>
>>
>>
>>
>> Mit freundlichen Gr=FC=DFen,
>>
>> Christian Geuer-Pollmann
>>
>>
>> ------------------------------------------------------------------------
>> -- Institute for Data Communications Systems             University of
>> Siegen Hoelderlinstrasse 3                 D-57068 Siegen
>> Germany
>>
>> mail:  mailto:geuer-pollmann@nue.et-inf.uni-siegen.de
>> web:  <http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/>
>>
>
>
> -------------------------------------------------------------------------
> ---- Baltimore Technologies plc will not be liable for direct,  special,
> indirect  or consequential  damages  arising  from  alteration of  the
> contents of this message by a third party or as a result of any virus
> being passed on.
>
> In addition, certain Marketing collateral may be added from time to time
> to promote Baltimore Technologies products, services, Global e-Security or
> appearance at trade shows and conferences.
>
> This footnote confirms that this email message has been swept by
> Baltimore MIMEsweeper for Content Security threats, including
> computer viruses.
>    http://www.baltimore.com
>






Mit freundlichen Grüßen,

Christian Geuer-Pollmann


--------------------------------------------------------------------------
Institute for Data Communications Systems             University of Siegen
Hoelderlinstrasse 3                 D-57068 Siegen                 Germany

mail:  mailto:geuer-pollmann@nue.et-inf.uni-siegen.de
web:  <http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/>
Received on Tuesday, 4 September 2001 01:24:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:36 UTC