W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2002

Re: Enveloped Signature Transform

From: Mauro Arcolini <arcolini@sec.di.unipi.it>
Date: Fri, 8 Feb 2002 12:41:08 +0100
Message-ID: <001001c1b095$7fda4070$0902a8c0@win9>
To: <w3c-ietf-xmldsig@w3.org>
merlin wrotes:
>Mauro,

>The XPath filter "not (ancestor-or-self::ds:Signature)" will
>remove _all_ signatures from the document, so signatures can
>be added at will without breaking validity.

>An alternative filter could be constructed using:

>here()/ancestor::ds:Signature[1]/following-sibling::ds:Signature

>This would be slow, and would simply remove Signatures added
>_following_ this signature. This would constrain the placement
>of signatures, but might be more interesting.
Yes its'a solution.

>Alternatively, with the enveloped signature transform, new
>signatures could be added as ds:Object elements within the
>first signature itself without XPath and without breaking
>validity.
It seems a very good solution, but do you repeat this behaviour if you want add other ds:Signature?, i.e. if you want sign the first and the second ds:Signature, without breaking the second, do you add the third ds:Signature as ds:Object element of the second e so on??
Mauro Arcolini,
GapXse
Received on Friday, 8 February 2002 06:27:36 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:14 GMT