W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2007

Re: AW: XML Signature - Request for clarification [Virus checked]

From: Tom Gindin <tgindin@us.ibm.com>
Date: Thu, 9 Aug 2007 08:27:16 -0400
To: "Marcus Ertel" <m.ertel@gmx.com>, "'Christian Geuer-Pollmann'" <Christian.Geuer-Pollmann@microsoft.com>
Cc: Heiko.Dittmann@Sparkassen-Informatik.de, Konrad.Lanz@iaik.tugraz.ac.at, Marcus.Ertel@Extern.Sparkassen-Informatik.de, public-xmlsec-maintwg@w3.org, w3c-ietf-xmldsig@w3.org
Message-ID: <OF6253DBC2.DC77D834-ON85257332.00433E0E-85257332.004455E6@us.ibm.com>


        How does a complete absence of escape processing for the Reference 
attribute square with XMLDSIG section  That section says (point 
2) that "some Unicode characters are disallowed from URI references 
including all non-ASCII characters and the excluded characters listed in 
RFC2396 [URI, section 2.4].  However, the number sign (#), percent sign 
(%), and square bracket characters re-allowed in RFC 2732 [URI-Literal] 
are permitted."  None of the characters in Marcus' example need to be 
escaped, and the test vectors explicitly show solidus and apostrophe as 
not being escaped.  But don't angle brackets and double quotation marks 
need to be escaped?

                Tom Gindin

"Marcus Ertel" <m.ertel@gmx.com> 
Sent by: w3c-ietf-xmldsig-request@w3.org
08/08/2007 04:32 PM

"'Christian Geuer-Pollmann'" <Christian.Geuer-Pollmann@microsoft.com>, 
<w3c-ietf-xmldsig@w3.org>, <Konrad.Lanz@iaik.tugraz.ac.at>, 
AW: XML Signature - Request  for clarification [Virus checked]

thanks for your quick response! Well, this looks like quite a
straightforward solution to a tedious problem. I remember that I came 
a hint into the direction that you describe when my research led me into 
Javadocs of the URLEncoder class that produces the (in our case) wrong
output (an ISV's library required the Referene URI be RFC 2396 compliant). 
But I just couldn't (and almost still can't) imagine a solution this easy,
because there were long and very qualified discussions with ISVs, 
of JCE's and even the German section of the W3C regarding the handling of
the Reference URI.

Anyway, I'm glad that this issue looks solved now. And maybe there'll be
more contributions to this discussion by the other addressees of your

Thanks again and best regards!

> -----Ursprüngliche Nachricht-----
> Von: Christian Geuer-Pollmann 
> [mailto:Christian.Geuer-Pollmann@microsoft.com] 
> Gesendet: Mittwoch, 8. August 2007 21:09
> An: Marcus.Ertel@Extern.Sparkassen-Informatik.de; 
> public-xmlsec-maintwg@w3.org
> Cc: w3c-ietf-xmldsig@w3.org; Konrad.Lanz@iaik.tugraz.ac.at; 
> m.ertel@gmx.com; Heiko.Dittmann@Sparkassen-Informatik.de
> Betreff: RE: XML Signature - Request for clarification [Virus checked]
> Marcus, 
> your first example
>    <Reference URI="#xpointer(//*[@authenticate='true'])"> 
> is correct. The other thing *would* be the escape sequence 
> which you need when sensing the URI as part of a GET request 
> to some web server, i.e. when the URI would be consumed and 
> cracked by an HTTP server. That is not the case at XML 
> Signature: the @URI attribute here is processed by an XML 
> Signature library, which does not expect that escaping. Doing 
> RFC2396 escaping in a ds:Reference/@URI is wrong (and just 
> feeding that into a concrete implementation should actually 
> give you that answer with some nice exception J). 
> Best regards,
> Christian
> Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 
> 23, D-52072 Aachen, Germany
> Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; 
> Amtsgericht Aachen, HRB 12066
> http://www.microsoft.com/emic/ <http://www.microsoft.com/emic/> 
> From: w3c-ietf-xmldsig-request@w3.org 
> [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of 
> Marcus.Ertel@Extern.Sparkassen-Informatik.de
> Sent: Montag, 6. August 2007 14:26
> To: public-xmlsec-maintwg@w3.org
> Cc: w3c-ietf-xmldsig@w3.org; Konrad.Lanz@iaik.tugraz.ac.at; 
> m.ertel@gmx.com; Heiko.Dittmann@Sparkassen-Informatik.de
> Subject: XML Signature - Request for clarification [Virus checked]
> Ladies and Gentlemen: 
> Let me start with a brief introduction of the issue that 
> makes me ask for a clarification from your side. 
> My name is Marcus Ertel and I am with "Sparkassen 
> Informatik", one of the biggest IT service providers in 
> Germany. We are currently busy introducing the new money 
> transfer standard EBICS (Electronic Banking Internet 
> Communication Standard; please see 
> <http://www.ebics-zka.de/english/spec/specification_en.htm>) 
> which relies heavily on XML and particularly XML Signature. 
> The various implementations of EBICS raised a discussion 
> concerning the handling of the Reference URI in the 
> SignedInfo element of an XML signature. The issue is, quite 
> briefly, as follows: 
> The XML data of an EBICS message contain a <SignedInfo> 
> element with a <Reference URI> that contains an XPointer: 
>         <Reference URI="#xpointer(//*[@authenticate='true'])"> 
> Now there's an ongoing discussion about the handling of this 
> URI before the calculation of the XML Signature. One opinion 
> is as follows: 
> In order to obtain a valid, RFC 2396 compliant URI, parts of 
> the Reference URI have to be escaped properly. Hence, the URI 
> fed into the signature process is as follows: 
> <Reference 
> URI="#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)"> 
> On the other hand, there is quite the opposite opinion. Its 
> proponents say that no escaping at all is necessary, because 
> the URI consists of just an XPointer. And as all the 
> candidates for escaping are parts of this XPointer, they do 
> not infringe the requirements of RFC 2396. 
> Could you please kindly advise on how to process this special 
> URI? We need this clarification because there are ISV's 
> providing the German banking software market with these two 
> implementations of the XML Signature standard. This in turn 
> leads to products unable to cope with each other while all of 
> them claim to be compliant with the XML Signature standard. 
> Thank you very much in advance and best regards from Munich 
> Marcus Ertel, Sparkassen Informatik 
> Sparkassen Informatik GmbH & Co.KG
> Richard-Reitzner-Allee 8
> 85540 München / Haar 
> _____________________________________________________________________ 
> Sparkassen Informatik GmbH & Co. KG, Theodor-Heuss-Allee 90, 
> D 60486 Frankfurt a.M. 
> Amtsgericht Frankfurt a.M. HRA 30059; 
> Aufsichtsratsvorsitzender: Dr. Rolf Gerlach; Persönlich 
> haftende Gesellschafterin: Sparkassen Informatik 
> Verwaltungsgesellschaft mbH, Sitz: Frankfurt a.M., 
> Amtsgericht Frankfurt a.M. HRB 52289, Geschäftsführer: 
> Fridolin Neumann (Vorsitzender), Franz-Theo Brockhoff (stv. 
> Vorsitzender), Werner Brunner (stv. Vorsitzender), Uwe 
> Katzenburg (stv. Vorsitzender), Willi Bär, Harald Lux;
> Internet: http://www.sparkassen-informatik.de, E-Mail: 
> kontakt@sparkassen-informatik.de
Received on Thursday, 9 August 2007 12:27:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:40 UTC