W3C home > Mailing lists > Public > public-xmlsec-comments@w3.org > August 2014

Re: Detached signature of non-sibling elements (?)

From: Frederick Hirsch <w3c@fjhirsch.com>
Date: Thu, 28 Aug 2014 08:51:18 -0400
Cc: Frederick Hirsch <w3c@fjhirsch.com>, Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>, public-xmlsec-comments@w3.org, "public-xmlsec@w3.org List Public" <public-xmlsec@w3.org>
Message-Id: <5AE69AC7-9F75-4E56-9639-17727434AC49@fjhirsch.com>
To: helpcrypto helpcrypto <helpcrypto@gmail.com>
> Hence, more reasons to correct spec and use:
> "Detached signatures are over external network resources or local data objects that reside within the same XML document; that is, the signature is neither enveloping (signature is parent) nor enveloped (signature is child)."
> and:
> "This definition typically applies to separate data objects, but it also includes the instance where the Signature and data object reside within the same XML document.
> 
> That is, remove the "sibling" reference.

That is even better, thanks for helping getting it right.

 I tried but the sibling wording was a bad place to start, sometimes trying to edit with existing words does not work so well  :)

This is much better.

Anyone have any more concerns?

regards, Frederick

Frederick Hirsch, Nokia
@fjhirsch



On Aug 28, 2014, at 7:28 AM, helpcrypto helpcrypto <helpcrypto@gmail.com> wrote:

> On Thu, Aug 28, 2014 at 11:32 AM, Konrad Lanz <Konrad.Lanz@iaik.tugraz.at> wrote:
> Hi,
> 
>  Detached Signatures are completely disjoint from the signed data objects. Detached signatures are disjoint from the signed data objects and may lie within the same document or in a separate file.
> 
> When more than one <ds:Reference>s (or XPointer URI fragments) are used, then combinations of the different forms with respect to the data objects/<ds:Reference> can be achieved.
> 
> Hence, more reasons to correct spec and use:
> "Detached signatures are over external network resources or local data objects that reside within the same XML document; that is, the signature is neither enveloping (signature is parent) nor enveloped (signature is child)."
> and:
> "This definition typically applies to separate data objects, but it also includes the instance where the Signature and data object reside within the same XML document.
> 
> That is, remove the "sibling" reference.
> 
>  
> Explanation: 
> 
> To be precise when talking about Signature Forms - such as enveloped, enveloping or detached - makes only sense with respect to *one* (ds:Reference/@URI ; data object) tuple. So a <ds:Signature> can only be detached with respect to a <ds:Reference> when its URI refers to a node-set that is completely disjoint[1] from <ds:Signature>s node-set.
> 
> Hence I wrote a few years back ...
> 
> https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=90836#nameddest=subsection.2.4.1.2
>>  Detached Signatures are completely disjoint from the signed data object.
>> Detached signatures are disjoint from the signed data object and may lie within the same document as
>> the data object or in a separate file.
>> When XPointer URI fragments or more <ds:Reference>s than one are used then combinations of these
>> different forms with respect to the data objects can be achieved.
> 
> Totally understood and agree.
> 
> IMHO is now much more clear that standard should be fixed, and I suggest the correction to be done in both [2] and [3]. Do you agree?
> 
> [2] http://www.w3.org/TR/xmldsig-core/
> [3] http://www.w3.org/TR/xmldsig-core1/
> 
> 
> Anything to say about the Microsoft internally/externally invention?


Received on Thursday, 28 August 2014 12:52:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:42:36 UTC