Re: Detached signature of non-sibling elements (?) from helpcrypto helpcrypto on 2014-08-28 (public-xmlsec@w3.org from August 2014)

From: helpcrypto helpcrypto <helpcrypto@gmail.com>
Date: Thu, 28 Aug 2014 13:28:33 +0200
To: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Cc: Frederick Hirsch <w3c@fjhirsch.com>, public-xmlsec-comments@w3.org, "public-xmlsec@w3.org List Public" <public-xmlsec@w3.org>
Message-ID: <CAHMQSgt5O5t8MyB-ZFfBAhmKQwwejwuYKLhAXxQ87q2sKy+unQ@mail.gmail.com>

On Thu, Aug 28, 2014 at 11:32 AM, Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
wrote:

>  Hi,
>
> • Detached Signatures are completely disjoint from the signed data
> objects. Detached signatures are disjoint from the signed data objects and
> may lie within the same document or in a separate file.
>
> When more than one <ds:Reference>s (or XPointer URI fragments) are used,
> then combinations of the different forms with respect to the data
> objects/<ds:Reference> can be achieved.
>

Hence, more reasons to correct spec and use:
*"Detached signatures are over external network resources or local data
objects that reside within the same XML document; that is, the signature is
neither enveloping (signature is parent) nor enveloped (signature is
child)."*
and:
*"This definition typically applies to separate data objects, but it also
includes the instance where the Signature and data object reside within the
same XML document.”*

That is, remove the "sibling" reference.



> Explanation:
>
> To be precise when talking about Signature Forms - such as enveloped,
> enveloping or detached - makes only sense with respect to *one*
> (ds:Reference/@URI ; data object) tuple. So a <ds:Signature> can only be
> detached with respect to a <ds:Reference> when its URI refers to a node-set
> that is completely disjoint[1]
> <http://en.wikipedia.org/wiki/Disjoint_sets> from <ds:Signature>s
> node-set.
>
> Hence I wrote a few years back ...
>
>
> https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=90836#nameddest=subsection.2.4.1.2
>
> • Detached Signatures are completely disjoint from the signed data object.
> Detached signatures are disjoint from the signed data object and may lie
> within the same document as
> the data object or in a separate file.
> When XPointer URI fragments or more <ds:Reference>s than one are used then
> combinations of these
> different forms with respect to the data objects can be achieved.
>
> Totally understood and agree.

IMHO is now much more clear that standard should be fixed, and I suggest
the correction to be done in both [2] and [3]. Do you agree?

[2] http://www.w3.org/TR/xmldsig-core/
[3] http://www.w3.org/TR/xmldsig-core1/


Anything to say about the Microsoft internally/externally *invention*?

Received on Thursday, 28 August 2014 11:29:24 UTC