Canonicalization of <SignedInfo> for Reference Validation (redux) from Vamsi Motukuru on 2001-10-11 (w3c-ietf-xmldsig@w3.org from October to December 2001)

From: Vamsi Motukuru <vamsi@phaos.com>
Date: Thu, 11 Oct 2001 19:04:43 -0400
To: <w3c-ietf-xmldsig@w3.org>
Message-ID: <001a01c152a9$1d64f1f0$38844ec6@starlan.com>

Dear All,

I've seen a fair amount of Q&A on this topic in the DSIG mailing list over 
the past several months, and the universally stated reason for 
canonicalizing SignedInfo before Reference validation is to enforce WYSIWYS.

However, I'm still having trouble understanding how this would really be 
implemented for same-document fragment Reference URIs where the referenced 
XML is a sibling subtree of the enclosing document. For example:

<MyDoc>
   <ItemList ID="TheList">
     <Item num="001">First item</Item>
     <Item num="002">Second item</Item>
   </ItemList>
   <Signature>
     <SignedInfo>
       <CanonicalizationMethod> ... </CanonicalizationMethod>
       <SignatureMethod> ... </SignatureMethod>
       <Reference URI="#TheList">
         <DigestMethod> ... </DigestMethod>
         <DigestValue> ... </DigestValue>
       </Reference>
     </SignedInfo>
     <SignatureValue> ... </SignatureValue>
   </Signature>
</MyDoc>

When, at the start of reference validation, XML-C14N (or some other 
canonicalization) is applied to the SignedInfo, the result is an octet 
stream. In order to proceed with retrieving the referenced object and 
calculating the digest value, the application will first need to parse the 
octet stream to recover an XML document with Reference elements in it. This 
results in a new document that does not contain the data object identified 
in the Reference URI. What now?

Thanks,

Ari Kermaier
Phaos Technology Corp.

Received on Thursday, 11 October 2001 19:03:50 UTC