W3C home > Mailing lists > Public > www-xkms@w3.org > December 2002

Clarification of validation processing of XKMS XML Signatures

From: Ed Simon <edsimon@xmlsec.com>
Date: Thu, 5 Dec 2002 18:08:02 -0500
Message-ID: <001a01c29cb3$29512ce0$f2a0fea9@DJQC7111>
To: <www-xkms@w3.org>

As discussed ("http://www.w3.org/2001/XKMS/Minutes/021205-tele.html"),
to emphasize and clarify that digital signatures associated an XKMS message
must be validated independent of any XML packaging around it (eg. SOAP), I
suggest

1. Changing all examples to use Exclusive XML Canonicalization rather than
XML Canonicalization.

2. In "Part 1 - 2.7.2 Element <ds:Signature>", adding
>>>
  Validation of XML Signatures MUST be done independent of any
  ancestral XML context of the message.  This may be achieved by
  * isolating the XKMS message from any 'wrapper' (eg. SOAP) before
validation  or
  * specifying a canonicalization algorithm, such as Exclusive XML
Canonicalization, in
     <SignedInfo>/<CanonicalizationMethod> to exclude ancestral XML context
     during the validation of the message.
<<<

3. In "3.3 Computation of XML Signature Elements in XKMS Messages" change
>>>
  "These are computed as described in Part 1, Section 6.0.2 and 6.0.3
   respectively, and assume the XKMS message has been removed from
   the SOAP message 'wrapper' at the time processing occurs."
<<< to >>>
  "These are computed as described in Part 1, Section 6.0.2 and 6.0.3
    respectively, and the signature validation processing described in
    "Part 1 - 2.7.2 Element <ds:Signature>.".
<<<

Ed
----------------------------------------------------------------------------
-------------------------------------------
Ed Simon
<edsimon@xmlsec.com>
(613) 726-9645
XMLsec Inc.

Interested in XML Security Training and Consulting services?  Visit
"www.xmlsec.com".
Received on Thursday, 5 December 2002 18:05:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:18 GMT