- From: Jirka Kosek <jirka@kosek.cz>
- Date: Mon, 07 Jan 2013 14:41:44 +0100
- To: public-xmlsec@w3.org
- CC: Frederick.Hirsch@nokia.com
- Message-ID: <50EAD098.7060800@kosek.cz>
Hi,
I haven't received reply to my question about multiple enveloped
signatures. Any insight about this issue from WG experts will be more
then welcomed.
Many thanks in advance,
Jirka
-------- Original Message --------
Subject: Multiple enveloped signatures
Date: Mon, 17 Dec 2012 16:04:15 +0100
From: Jirka Kosek <jirka@kosek.cz>
To: public-xmlsec@w3.org
Hi,
during developing Czech XML based invoicing standard we crossed issue of
several signatures attached to one document and even after studying all
specifications related to XML DSig we are not sure what is the right
answer to our problem.
Initially we need to solve simple problem of attaching one signature and
thus many implementors used Enveloped Signature as it was easiest one to
incorporate into existing document.
However after some time there was demand for multiple signatures -- for
example invoice has to be approved by several people, so each person
attached his signature. Many implementations used enveloped signature
for this as well. So typical document looked like:
<Invoice>
... invoice content ...
<dsig:Signature>1st signature</dsig:Signature>
<dsig:Signature>2nd signature</dsig:Signature>
<dsig:Signature>3rd signature</dsig:Signature>
</Invoice>
As all signatures were created as enveloped ones validation has always
been done from the end. After validating 3rd signature, the signature
was removed and 2nd signature was validated. Then 2nd signature was
removed and 1st signature was validated, etc.
However such approach doesn't allow to validate 1st (or 2nd) signature
alone without removing 2nd and 3rd signatures first as they are
considered a part of signed content (<Reference URI=""> is used for
enveloped signature).
So my questions (to which I haven't found answer in any REC, WD or BP
document) are:
-- is it correct to attach multiple enveloped signatures to one document?
-- is there somewhere definition of process used for validation of
document with several enveloped signatures?
-- if it's incorrect to attach multiple enveloped signatures to one
document where this is defined?
Thanks for insights in advance.
Jirka
--
------------------------------------------------------------------
Jirka Kosek e-mail: jirka@kosek.cz http://xmlguru.cz
------------------------------------------------------------------
Professional XML consulting and training services
DocBook customization, custom XSLT/XSL-FO document processing
------------------------------------------------------------------
OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 rep.
------------------------------------------------------------------
Bringing you XML Prague conference http://xmlprague.cz
------------------------------------------------------------------
--
------------------------------------------------------------------
Jirka Kosek e-mail: jirka@kosek.cz http://xmlguru.cz
------------------------------------------------------------------
Professional XML consulting and training services
DocBook customization, custom XSLT/XSL-FO document processing
------------------------------------------------------------------
OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 rep.
------------------------------------------------------------------
Bringing you XML Prague conference http://xmlprague.cz
------------------------------------------------------------------
Received on Monday, 7 January 2013 13:42:09 UTC