- From: Andreas Schmidt <aschmidt@darmstadt.gmd.de>
- Date: Tue, 18 Jan 2000 11:19:56 +0100
- To: John Boyer <jboyer@uwi.com>
- CC: DSig Group <w3c-ietf-xmldsig@w3.org>
John Boyer wrote:
> Joseph asked for this to be posted for consideration before the FTF.
>
> This is a first draft of (some of) the questions that will end up in the new
> scenarios/FAQ document. In addition, rough notes on what the answers will
> be are given.
>
> Please feel free to comment on these answers. Also, certainly there are
> additional useful questions/answers.
I want to briefly comment on FAQs 2) and 5) cited below
> 2) I have a whole XML document. How do I sign it?
>
> A1: If the XML document is addressable by a URL, then you could create a
> detached signature. The SignedInfo Reference would include a URI to the XML
> document.
>
> A2: If you have a copy of the XML document in some temporary file or memory
> buffer, you can put the data in an enveloping signature. It is likely that
> you will have to base-64 encode the XML document since an entire XML
> document cannot appear as element content. Alternately, character sequences
> forbidden from content by XML can be escaped using the XML escaping
> mechanism.
>
> A3: You could create an enveloped signature inside the XML document. The
> SignedInfo Reference would refer to the document’s root element. The
> signature would have to use transforms to excluded itself from the message
> digested in the Reference’s DigestValue.
...
> 5) I have an XML document. How do I combine that document with a signature
> such that, in the resulting document, the signature signs the original
> document?
>
> A1: Create an enveloping signature around the root element of the document.
> A2: Create an enveloped signature. The signature is placed inside the
> document, and its SignedInfo Reference contains transforms that omit the
> signature from the document.
First it seems to me, that these two could be combined into a single
question (maybe with subpoints). Two suggestions, that I think would help
clarifying
the issues:
1. In answers 2) A3 and 5) A2 the _minimum_ content to be omitted by the
transformations (DigestValue and SignatureValue), and that it MUST be omitted
for the signature to validate
should be clearly stated (since I think FAQs are for the non-expert). Editorial:
The URI="" addressing method should be spelled out and a reference to the
defining portion of the spec
should be given.
2. In [1] I made the suggestion that URI="" should automatically omit the stuff
leading to self-referentiality, which was objected in [2,3]. I would suggest
that the design choice
taken for core syntax behaviour is explained at this point (I think including
such stuff in a FAQ
helps clarifying and is therefore generally a good thing). Text proposal:
"This two step procedure, using URI="" and transformations, has been
prescribed in spite of
its apparent redundancy for the following reasons: ..."
The reasons given in [2,3] are to be filled in for ...
[1] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0004.html
[2] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0005.html
[3] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0006.html
Andreas
Received on Tuesday, 18 January 2000 05:18:32 UTC