- From: Blake Dournaee <bdournaee@sarvega.com>
- Date: Fri, 17 Oct 2003 10:19:36 -0700
- To: w3c-ietf-xmldsig@w3.org
Hi Sanjay,
Given that you are working with a form, you'll want to consider the "See
what you sign" maxim from the XML Signature Recommendation. From a
security point of view and performance point of view, XPath Filter 2.0
is a good choice and I think that J. Boyer's comments are very
appropriate. From a more practical point of view it seems like grouping
the elements together with XSLT is a step in the right direction.
You've definitely got some grouping of elements to do given that some
elements have multiple signers. If I understand you correctly you'll
need to partition the list of elements to sign into multiple groups with
different signing semantics. Is it possible to take the form and
transform it using XSLT beforehand to reduce the complexity of the
<ds:Signature>?
You mentioned that for this particular form, some elements require
multiple signers. Your "a priori" XSLT transform could take the form and
transform it such that elements requiring multiple signers are grouped
together. For example:
<StructuredForm>
<OneSigner Id="one">
<!-- group elements here requiring one signer -->
</OneSigner>
<TwoSigners Id="two">
<!-- group elements here requiring two signers -->
</TwoSigners>
<ThreeSigners Id="three">
<!-- group elements here requiring three signers-->
</ThreeSigners>
</StructuredForm>
You could then build the XML Signature around this source XML file
instead. To keep with the "See what you sign" maxim, you might also
include a signature over the 'a priori' XSLT transform.
Blake Dournaee
Senior Architect
Sarvega, Inc.
Received on Friday, 17 October 2003 13:35:26 UTC