- From: MURATA Makoto (FAMILY Given) <eb2m-mrt@asahi-net.or.jp>
- Date: Thu, 21 Jan 2010 00:28:15 +0900
- To: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
- Cc: Murata <eb2m-mrt@asahi-net.or.jp>
> > Again, are preceding and following foreign elements disallowed? Apart > > from the RSA-OAEP algorithm, what is allowed? RSA Version 1.5 only? > > Algorithms are extensible. You can determine what the content is for the > known algorithms, but not the unknown ones. But what is the known algorithms? RSA-OAEP and RSA Version 1.5 only? When permissible contents are cleary defined, I would like to capture them in the RELAX NG schema. > > 4.5 The Object Element of XML Signature does not clearly specify > > permissible children of the digital signature namespace. > > I've never used Object, but my understanding is that it contains literally > anything. There's nothing special about the signature schema in that regard, > and you would never want to try to enumerate it. Actually, in RELAX NG, if you want to validate SignatureValue (rather than skipping it) in Object for example, you have to explicitly reference the pattern for SignatureValue. > > I guess > > that any of the SignatureValue, SignedInfo, CanonicalizationMethod , > > SignatureMethod, Reference, Transforms, Transform , DigestMethod, > > DigestValue, KeyInfo, KeyName, MgmtData , KeyValue, RetrievalMethod, > > X509Data, PGPData, SPKIData , Manifest, SignatureProperties, > > SignatureProperty, and DSAKeyValue elements are allowed . > > And every other element in the world. Such foreign elements are allowed by ds_ObjectChild |= anyForeignElement in allowAnyForeign.rnc. So, you can impose tight restrictions by using xmldsig-core-schema.rnc only. Cheers, Makoto
Received on Wednesday, 20 January 2010 15:28:52 UTC