- From: Frederick Hirsch <w3c@fjhirsch.com>
- Date: Thu, 28 Aug 2014 08:51:18 -0400
- To: helpcrypto helpcrypto <helpcrypto@gmail.com>
- Cc: Frederick Hirsch <w3c@fjhirsch.com>, Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>, public-xmlsec-comments@w3.org, "public-xmlsec@w3.org List Public" <public-xmlsec@w3.org>
- Message-Id: <5AE69AC7-9F75-4E56-9639-17727434AC49@fjhirsch.com>
> Hence, more reasons to correct spec and use: > "Detached signatures are over external network resources or local data objects that reside within the same XML document; that is, the signature is neither enveloping (signature is parent) nor enveloped (signature is child)." > and: > "This definition typically applies to separate data objects, but it also includes the instance where the Signature and data object reside within the same XML document.” > > That is, remove the "sibling" reference. That is even better, thanks for helping getting it right. I tried but the sibling wording was a bad place to start, sometimes trying to edit with existing words does not work so well :) This is much better. Anyone have any more concerns? regards, Frederick Frederick Hirsch, Nokia @fjhirsch On Aug 28, 2014, at 7:28 AM, helpcrypto helpcrypto <helpcrypto@gmail.com> wrote: > On Thu, Aug 28, 2014 at 11:32 AM, Konrad Lanz <Konrad.Lanz@iaik.tugraz.at> wrote: > Hi, > > • Detached Signatures are completely disjoint from the signed data objects. Detached signatures are disjoint from the signed data objects and may lie within the same document or in a separate file. > > When more than one <ds:Reference>s (or XPointer URI fragments) are used, then combinations of the different forms with respect to the data objects/<ds:Reference> can be achieved. > > Hence, more reasons to correct spec and use: > "Detached signatures are over external network resources or local data objects that reside within the same XML document; that is, the signature is neither enveloping (signature is parent) nor enveloped (signature is child)." > and: > "This definition typically applies to separate data objects, but it also includes the instance where the Signature and data object reside within the same XML document.” > > That is, remove the "sibling" reference. > > > Explanation: > > To be precise when talking about Signature Forms - such as enveloped, enveloping or detached - makes only sense with respect to *one* (ds:Reference/@URI ; data object) tuple. So a <ds:Signature> can only be detached with respect to a <ds:Reference> when its URI refers to a node-set that is completely disjoint[1] from <ds:Signature>s node-set. > > Hence I wrote a few years back ... > > https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=90836#nameddest=subsection.2.4.1.2 >> • Detached Signatures are completely disjoint from the signed data object. >> Detached signatures are disjoint from the signed data object and may lie within the same document as >> the data object or in a separate file. >> When XPointer URI fragments or more <ds:Reference>s than one are used then combinations of these >> different forms with respect to the data objects can be achieved. > > Totally understood and agree. > > IMHO is now much more clear that standard should be fixed, and I suggest the correction to be done in both [2] and [3]. Do you agree? > > [2] http://www.w3.org/TR/xmldsig-core/ > [3] http://www.w3.org/TR/xmldsig-core1/ > > > Anything to say about the Microsoft internally/externally invention?
Received on Thursday, 28 August 2014 12:52:22 UTC