Re: History: Question on C14N list of nodes instead of subtrees from Joseph Reagle on 2002-01-28 (w3c-ietf-xmldsig@w3.org from January to March 2002)

From: Joseph Reagle <reagle@w3.org>
Date: Mon, 28 Jan 2002 15:21:26 -0500
To: "Karl Scheibelhofer" <Karl.Scheibelhofer@iaik.at>, "'John Boyer'" <JBoyer@PureEdge.com>, "'merlin'" <merlin@baltimore.ie>
Cc: <w3c-ietf-xmldsig@w3.org>
Message-Id: <200201282021.PAA11200@tux.w3.org>

On Monday 28 January 2002 13:17, Karl Scheibelhofer wrote:
> yes, i use three references in each signature. those look like this:

Ok.

> c%20./ancestor::dsig:Signature%5b1%5d/child::dsig:Object/child::aida:pro
> perties/child::aida:signedProperties//@*%20%7c%20./ancestor::dsig:Signat
> ure%5b1%5d/child::dsig:Object/child::aida:properties/child::aida:signedP
> roperties//namespace::*)">

Well having a transform such these expressions can be easily expressed 
without character escaping would be one benefit -- much more readable! 
<smile/>

> each of these parallel
> signatures uses the same XPointer references, because the XPointers are
> relative. 

How is the relativity achieved? I note you are using "./ancestor" instead 
of "here()/ancestor". In XPtr isn't your context location [1] still 
initialized to the root node?

[1] http://www.w3.org/TR/xptr/#context

> i think i could live without this omission filters, because i cannot
> imagine a reasonable other use-case for them. who needs a filter like
> "just sign all attributes which's name is ..."?

The motivating scenario was of signing a form whereby I want to sign the 
whole form except a few of the fields where the recipient might enter their 
own information. This isn't easily accomplished via subtrees.

> the signature is never part of the signed document. consequently, i
> structure my documents that this is really the case. this means, the
> signature is never the descendant of any of its signed elements. in my
> use-case the signature is a sibling of the signed content, if it is
> inside the same document. and if the signature is detached, there is no
> problem anyway.
> putting all singed data into the Object element of a signature and then
> signing the complete document excluding the signature itself, is "not a
> nice design" putting it mildly.

Ok, thank you! Understanding folks deployment scenarios is very useful.

-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Monday, 28 January 2002 15:21:33 UTC