W3C home > Mailing lists > Public > public-xmlsec-comments@w3.org > August 2014

Re: Detached signature of non-sibling elements (?)

From: helpcrypto helpcrypto <helpcrypto@gmail.com>
Date: Wed, 27 Aug 2014 08:49:25 +0200
Message-ID: <CAHMQSgsKL3bgFAjXDvm7b9QnuJbSi5wZ4xO6S6qOeOjdncGfVw@mail.gmail.com>
To: Frederick Hirsch <w3c@fjhirsch.com>
Cc: public-xmlsec-comments@w3.org, "public-xmlsec@w3.org List Public" <public-xmlsec@w3.org>
Hi Frederick.


According to your comment, this IS a valid detached signature, isnt it?

<root>
    <my-data>
        <node Id="n"></node>
    <my-data>
    <my-sign>
        <Signature …>
            …
            <Reference URI=“#n”>
            ...
        </Signature>
    </my-sign>
</root>

Just to be sure (not miss-translating): sibling are only sister/brother,
right?

As stated in [4], " Detached signatures are over external network resources
or local data objects that reside within the same XML document *as sibling
elements*; in this case, the signature is neither enveloping (signature is
parent) nor enveloped (signature is child). "

Also in [2], "The signature is over content external to the Signature
element, and can be identified via a URI or transform. Consequently, the
signature is "detached" from the content it signs. This definition
typically applies to separate data objects, but it also includes the
instance where the Signature and data object reside within the same XML
document *but are sibling elements*."


I think both paragraphs induce an error/missunderstanding.
Hence, I request a correction/errata:
 -If the sibling part was added on purpose, many signatures "out there" are
invalid, but on detached signatures content-data MUST BE siblings. Spec
should be much more clear on this.
 -If the sibling part was accidental, remove the bold/underlined parts and
add an errata reference.

Should I proceed in someway to request this errata be considered officially?

Thanks a lot for your time and help
Regards.
PS: Someone should request Microsoft do the same with [3]...and even not to
distinguish between internal/external ;)

[4] http://www.w3.org/TR/xmldsig-core/#sec-Overview




On Tue, Aug 26, 2014 at 5:26 PM, Frederick Hirsch <w3c@fjhirsch.com> wrote:

> Sorry, must have missed your earlier email.
>
> basically you can sign content within the Signature Object element
> (enveloping signature), sign the content that contains the Signature
> (enveloped signature) or other content
> (either in the same document but not the previous two cases, or external)
> as detached signature.
>
> regarding your example, need to ref via #n, and with appropriate syntax
>
> <Signature …>
> …
> <Reference URI=“#n”>
> ...
> </Signature>
>
> Does this help?
>
> regards, Frederick
>
> Frederick Hirsch, Nokia
> @fjhirsch
>
>
>
> On Aug 26, 2014, at 2:27 AM, helpcrypto helpcrypto <helpcrypto@gmail.com>
> wrote:
>
> Ping?
>
>
> On Tue, Jul 29, 2014 at 9:30 AM, helpcrypto helpcrypto <
> helpcrypto@gmail.com> wrote:
>
>> Hi.
>>
>>
>> Altough XMLDSig [1] is quite old, stable and well-known, I havent been
>> able to understand (maybe a translation/missunderstanding issue) the
>> detached signatures properly.
>>
>> According to [2]:
>> "*The signature is over content external to the Signature element, and
>> can be identified via a URI or transform. Consequently, the signature is
>> "detached" from the content it signs.*"
>>
>> Ok. Detached elements...
>>
>>
>> "*This definition typically applies to separate data objects, but it
>> also includes the instance where the Signature and data object reside
>> within the same XML document but are sibling elements.*"
>>
>> Ok. Signature and object in the same XML doc and siblings.
>>
>>
>> As stated in [3] (I't seems the standard doesnt distinguish between
>> internal/external)
>> "the signature and data can be in separate files or in the same XML file
>> as sibling elements"
>>
>>
>> Shall I understand the "internally detached" *unique valid signature* is
>> where signature and data are brothers (or sisters) [have the same parent]?
>>
>>
>> *Is the following example a valid detached signature? *
>>
>> *<root>*
>>
>> *    <my-data>*
>>
>> *        <node Id="n"></node>*
>>
>> *    <my-data>*
>>
>> *    <my-sign> *
>>
>>
>> *        <signature ref="n"></signature>    </my-sign>*
>> *</root>*
>>
>> Thanks a lot for your help
>> Regards
>>
>>
>> [1] http://www.w3.org/TR/xmldsig-core/
>> [2] http://www.w3.org/TR/xmldsig-core/#def-SignatureDetached
>> [3] http://msdn.microsoft.com/en-us/library/ms759193%28v=vs.85%29.aspx
>>
>
>
>
Received on Wednesday, 27 August 2014 06:54:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:42:36 UTC