Re: Clarification on 4.3.3.2 and 4.3.3.3 from merlin on 2001-10-10 (w3c-ietf-xmldsig@w3.org from October to December 2001)

From: merlin <merlin@baltimore.ie>
Date: Wed, 10 Oct 2001 13:59:45 +0100
To: Takuya Mori <tk-mori@isd.nec.co.jp>
Cc: w3c-ietf-xmldsig@w3.org
Message-Id: <20011010125945.37BD343C1A@yog-sothoth.ie.baltimore.com>

Hi,

r/tk-mori@isd.nec.co.jp/2001.10.10/16:02:48
>1. If an XML Signature Application accepts a DOM node as an
>   input XML document in which it create a <ds:Signature>
>   element, the Section 4.3.3.2 and 4.3.3.3 of XML DSIG
>   spec implicitly defines that the input DOM node have
>   to be the result of well-formed processing of the octet
>   stream of the document.

>2. If an XML Signature Application accepts an octet stream
>   as an input XML document in which it create a 
>   <ds:Signature> element, the Section 4.3.3.2 and
>   4.3.3.3 of XML DSIG spec implicitly defines that
>   it have to parse the input octet stream via well-formed
>   processig.

Sections 4.3.3.2 and 4.3.3.3 refer *only* to the reference
processing model; that is, processing the target of a
dsig:Reference element. They do not say anything, explicit
or implicit, about the document in which a signature is
created.

Indeed,see section 3.1.2 of the processing rules (signature
generation):

" Note, if the Signature includes same-document references, [XML] or
  [XML-schema] validation of the document might introduce changes that
  break the signature. Consequently, applications should be careful
  to consistently process the document or refrain from using external
  contributions (e.g., defaults and entities). "

[ http://www.w3.org/Signature/Drafts/xmldsig-core/Overview.html ]

This clearly states that parsing of the signature document
itself is application-specific, and may be validating or well
formed.

Merlin


-----------------------------------------------------------------------------
Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
   http://www.baltimore.com

Received on Wednesday, 10 October 2001 08:59:50 UTC