W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2002

Re: Ill-desiged transform sequences

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Tue, 30 Apr 2002 10:28:54 +0200
To: Gregor Karlinger <gregor.karlinger@iaik.at>, XMLSigWG <w3c-ietf-xmldsig@w3.org>
Message-id: <9132231.1020162534@crypto>
Hi Gregor,

I would say that this sequence is ILLEGAL and/or simply does not work 
because c14n trashes the here() context and is therefore not allowed. XPath 
or enveloped-signature requires re-parsing and then here() is evaluated 
against a different document.

Apache impl throws exception in that case...

Regards,
Christian

--On Dienstag, 30. April 2002 09:33 +0200 Gregor Karlinger 
<gregor.karlinger@iaik.at> wrote:

> Recently I had a discussion with a customer regarding
> the legality of an XML signature bearing a reference
> that has the following structure (which does not make
> sense at all, but should demonstrate the problem):
>
>   1. The URI attribute contains the empty string "";
>   2. The first transform is a C14N transform;
>   3. The second transform is an enveloped sig. tf.
>
> I argued that such a signature is not legal regarding
> the processing model of XMLDSIG, since it is impossible
> to cut out the signature from a node set which, due
> to the intermediate C14N transform, does not represent
> the original XML document bearing the XML signature.
>
> A similar problem occurs, if the env. sig. tf. is re-
> placed by an XPath transform using the here() function.
>
> Any opinions?
>
> Regards, Gregor
>
Received on Tuesday, 30 April 2002 04:25:09 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:15 GMT