- From: helpcrypto helpcrypto <helpcrypto@gmail.com>
- Date: Thu, 28 Aug 2014 13:28:33 +0200
- To: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
- Cc: Frederick Hirsch <w3c@fjhirsch.com>, public-xmlsec-comments@w3.org, "public-xmlsec@w3.org List Public" <public-xmlsec@w3.org>
- Message-ID: <CAHMQSgt5O5t8MyB-ZFfBAhmKQwwejwuYKLhAXxQ87q2sKy+unQ@mail.gmail.com>
On Thu, Aug 28, 2014 at 11:32 AM, Konrad Lanz <Konrad.Lanz@iaik.tugraz.at> wrote: > Hi, > > • Detached Signatures are completely disjoint from the signed data > objects. Detached signatures are disjoint from the signed data objects and > may lie within the same document or in a separate file. > > When more than one <ds:Reference>s (or XPointer URI fragments) are used, > then combinations of the different forms with respect to the data > objects/<ds:Reference> can be achieved. > Hence, more reasons to correct spec and use: *"Detached signatures are over external network resources or local data objects that reside within the same XML document; that is, the signature is neither enveloping (signature is parent) nor enveloped (signature is child)."* and: *"This definition typically applies to separate data objects, but it also includes the instance where the Signature and data object reside within the same XML document.”* That is, remove the "sibling" reference. > Explanation: > > To be precise when talking about Signature Forms - such as enveloped, > enveloping or detached - makes only sense with respect to *one* > (ds:Reference/@URI ; data object) tuple. So a <ds:Signature> can only be > detached with respect to a <ds:Reference> when its URI refers to a node-set > that is completely disjoint[1] > <http://en.wikipedia.org/wiki/Disjoint_sets> from <ds:Signature>s > node-set. > > Hence I wrote a few years back ... > > > https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=90836#nameddest=subsection.2.4.1.2 > > • Detached Signatures are completely disjoint from the signed data object. > Detached signatures are disjoint from the signed data object and may lie > within the same document as > the data object or in a separate file. > When XPointer URI fragments or more <ds:Reference>s than one are used then > combinations of these > different forms with respect to the data objects can be achieved. > > Totally understood and agree. IMHO is now much more clear that standard should be fixed, and I suggest the correction to be done in both [2] and [3]. Do you agree? [2] http://www.w3.org/TR/xmldsig-core/ [3] http://www.w3.org/TR/xmldsig-core1/ Anything to say about the Microsoft internally/externally *invention*?
Received on Thursday, 28 August 2014 11:29:26 UTC