Clarification of validation processing of XKMS XML Signatures from Ed Simon on 2002-12-05 (www-xkms@w3.org from December 2002)

From: Ed Simon <edsimon@xmlsec.com>
Date: Thu, 5 Dec 2002 18:08:02 -0500
To: <www-xkms@w3.org>
Message-ID: <001a01c29cb3$29512ce0$f2a0fea9@DJQC7111>

As discussed ("http://www.w3.org/2001/XKMS/Minutes/021205-tele.html"),
to emphasize and clarify that digital signatures associated an XKMS message
must be validated independent of any XML packaging around it (eg. SOAP), I
suggest

1. Changing all examples to use Exclusive XML Canonicalization rather than
XML Canonicalization.

2. In "Part 1 - 2.7.2 Element <ds:Signature>", adding
>>>
  Validation of XML Signatures MUST be done independent of any
  ancestral XML context of the message.  This may be achieved by
  * isolating the XKMS message from any 'wrapper' (eg. SOAP) before
validation  or
  * specifying a canonicalization algorithm, such as Exclusive XML
Canonicalization, in
     <SignedInfo>/<CanonicalizationMethod> to exclude ancestral XML context
     during the validation of the message.
<<<

3. In "3.3 Computation of XML Signature Elements in XKMS Messages" change
>>>
  "These are computed as described in Part 1, Section 6.0.2 and 6.0.3
   respectively, and assume the XKMS message has been removed from
   the SOAP message 'wrapper' at the time processing occurs."
<<< to >>>
  "These are computed as described in Part 1, Section 6.0.2 and 6.0.3
    respectively, and the signature validation processing described in
    "Part 1 - 2.7.2 Element <ds:Signature>.".
<<<

Ed
----------------------------------------------------------------------------
-------------------------------------------
Ed Simon
<edsimon@xmlsec.com>
(613) 726-9645
XMLsec Inc.

Interested in XML Security Training and Consulting services?  Visit
"www.xmlsec.com".

Received on Thursday, 5 December 2002 18:05:08 UTC