- From: <edsimon@xmlsec.com>
- Date: Fri, 7 Dec 2001 15:48:48 -0600
- To: sekhar.vajjhala@sun.com
- Cc: w3c-ietf-xmldsig@w3.org
Just discovered this reply never made it from my "Draft" folder to my "Sent" folder. Oh well, better late than never... --------------------------------------------------------- The "short" (and incomplete) answer is that, yes, an application can "discover" a signature using DOM, XPath, XSLT, regular expressions, or whatever. HOWEVER, in my view, the "correct" answer is that a practical, secure system will use schemas or some other higher-level mechanism to dictate whether or not a signature must, or may, be at a certain node in the document. Further, such a system will dictate certain parameters of the Signature such as the algorithms used, and, of course, what that signature must cover. These parameters may be dictated through schemas and enforced through schema validation or through some other way of verifying the integrity of the structure. It isn't enough to simply find a signature willy-nilly and indicate only whether it is valid or not. Does this help? If I read too much into the question or misinterpreted it, let me know. Regards, Ed -- Original Message -- >When a recipient receives an XML document containing a signature - >perhaps >containing an envloped signature, how does the recipient know there >is an XML Signature in the content. Either the recipient can > >a. search for a <ds:Signature> element in the XML document >b. or know that there is a XML Signature through some other > mechanism. > >Which of the above two is the correct or prevalent model ? > >Thanks. > >Sekhar > > ----------------------------------------------------------------------------------------------- Ed Simon XMLsec Inc. Interested in XML Security Training and Consulting services? Visit "www.xmlsec.com".
Received on Friday, 7 December 2001 16:48:52 UTC