Re: Detached signature of non-sibling elements (?) from Frederick Hirsch on 2014-08-26 (public-xmlsec-comments@w3.org from August 2014)

From: Frederick Hirsch <w3c@fjhirsch.com>
Date: Tue, 26 Aug 2014 11:26:57 -0400
To: helpcrypto helpcrypto <helpcrypto@gmail.com>
Cc: Frederick Hirsch <w3c@fjhirsch.com>, public-xmlsec-comments@w3.org, "public-xmlsec@w3.org List Public" <public-xmlsec@w3.org>
Message-Id: <5381B272-FB91-4CA3-A803-C9BADEE4BCB4@fjhirsch.com>

Sorry, must have missed your earlier email.

basically you can sign content within the Signature Object element (enveloping signature), sign the content that contains the Signature (enveloped signature) or other content
(either in the same document but not the previous two cases, or external) as detached signature.

regarding your example, need to ref via #n, and with appropriate syntax

<Signature …>
…
<Reference URI=“#n”> 
...
</Signature>

Does this help?


regards, Frederick

Frederick Hirsch, Nokia
@fjhirsch



On Aug 26, 2014, at 2:27 AM, helpcrypto helpcrypto <helpcrypto@gmail.com> wrote:

> Ping?
> 
> 
> On Tue, Jul 29, 2014 at 9:30 AM, helpcrypto helpcrypto <helpcrypto@gmail.com> wrote:
> Hi.
> 
> 
> Altough XMLDSig [1] is quite old, stable and well-known, I havent been able to understand (maybe a translation/missunderstanding issue) the detached signatures properly.
> 
> According to [2]:
> "The signature is over content external to the Signature element, and can be identified via a URI or transform. Consequently, the signature is "detached" from the content it signs."
> 
> Ok. Detached elements...
> 
> 
> "This definition typically applies to separate data objects, but it also includes the instance where the Signature and data object reside within the same XML document but are sibling elements."
> 
> Ok. Signature and object in the same XML doc and siblings.
> 
> 
> As stated in [3] (I't seems the standard doesnt distinguish between internal/external)
> "the signature and data can be in separate files or in the same XML file as sibling elements"
> 
> 
> Shall I understand the "internally detached" unique valid signature is where signature and data are brothers (or sisters) [have the same parent]?
> 
> Is the following example a valid detached signature?
> <root>
>     <my-data>
>         <node Id="n"></node>
>     <my-data>
>     <my-sign>
>         <signature ref="n"></signature>
>     </my-sign>
> </root>
> 
> Thanks a lot for your help
> Regards
> 
> 
> [1] http://www.w3.org/TR/xmldsig-core/
> [2] http://www.w3.org/TR/xmldsig-core/#def-SignatureDetached
> [3] http://msdn.microsoft.com/en-us/library/ms759193%28v=vs.85%29.aspx
>

Received on Tuesday, 26 August 2014 15:27:30 UTC