XML Signature document examples from Frederick Hirsch on 2007-10-19 (public-xmlsec-maintwg@w3.org from October 2007)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Fri, 19 Oct 2007 09:21:12 -0400
To: XMLSec XMLSec <public-xmlsec-maintwg@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <FE0A4318-E95F-4F24-A67A-B4B946E3DC36@nokia.com>

ACTION-81 was to replace the digest values in examples with "..."  
which was done, and possibly replace with actual correct digest  
values (not done).

These examples were  not part of interop so this would be extra work  
for those with implementations. If we do update the examples we  
should make sure the values are correct and produced consistently by  
more than one implementation.

I'm not sure how valuable this is since the examples are broad  
outlines with omitted parts in general, so omitting the actual digest  
values is probably not harmful. I don't think we can go beyond  
producing the digest values should we choose to do so.

How hard would it be for the interop participants to run the  
following tests to produce values for updating the spec, should we  
choose to do so?

1. Example in 2.1 http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/ 
#sec-o-Simple

Generate SHA-1 digest for HTML4 specification to put in the Reference  
digest value for first example:

Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/

Unless we define the DSA parameters etc we cannot produce a signature  
value. Since this was meant as an example without every detail I  
think this is fine.

2. Example in 2.1.1 http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/ 
#sec-o-Reference

Generate SHA-1 hash of
Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"
after using C14N11 transform.

3. Example in 2.2 http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/ 
#sec-o-SignatureProperty

Reference timestamp (in example XML) and transform with C14N11 to  
create SHA-1 digest value.

What does the WG think, should we leave the examples as-is or update  
the values?

If the implementors who tested in interop can easily generate these  
values then I suggest we update the specification, otherwise not.

I'd like to agree on our approach on our call 23 Oct, and if we  
decide to generate the values, conclude updating the spec next week.

Thanks

regards, Frederick

Frederick Hirsch
Nokia

Received on Friday, 19 October 2007 13:22:15 UTC