Problem with merlin-xmldsig-sixteen/signature.xml

Hi Merlin,

I have a question about your sample signature from 
merlin-xmldsig-sixteen/signature.xml: I can verify _all_ References but not 
the one with URI="#xpointer(id('object-3'))" and no Transforms:

In the file, there was this snippet:

<Reference Type="http://www.w3.org/2000/09/xmldsig#Object" 
URI="#xpointer(id('object-3'))">
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>0aW4L0GoFzYUo4gyZSfoyZBhpuc=</DigestValue>
</Reference>

After dereferencing the XPointer URI with _my_ implementation, all comment 
nodes are available in the input. Is this right? What I found in the spec 
was these two code snippets:

4.3.3.2 The Reference Processing Model
  We RECOMMEND support for the same-document XPointers '#xpointer(/)'
  and '#xpointer(id('ID'))' if the application also intends to support
  any canonicalization that preserves comments.

4.3.3.3 Same-Document URI-References
  To retain comments while selecting an element by an identifier ID,
  use the following full XPointer: URI='#xpointer(id('ID'))'.

What I understood from this was that de-referncing an XPointer URI means 
that Comments are available before I feed the input to my (possibly 
defined) transforms (otherwise, it would not make sense to use a 
c14n#WithComments because they have been already stripped away before this 
transform can take place).

Is there a mistake in the example or do I misunderstand the spec? From what 
I see, it should be something like this (cryptographically correct values):

<!-- If we want comments; we don't have to do something because they are 
there -->
<Reference Type="http://www.w3.org/2000/09/xmldsig#Object"
           URI="#xpointer(id('object-3'))">
  <DigestMethod
           Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>1puYWb36Z5TIDmEIVd/JLR3iD8Y=</DigestValue>
</Reference>

<!-- If we want no comments, so we have to kick them away -->
<Reference Type="http://www.w3.org/2000/09/xmldsig#Object"
           URI="#xpointer(id('object-3'))">
  <Transforms>
    <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" 
/>
  </Transforms>
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>0aW4L0GoFzYUo4gyZSfoyZBhpuc=</DigestValue>
</Reference>


Best regards,
Christian

Received on Thursday, 4 October 2001 15:21:20 UTC