RE: Enveloped signatures and XPath from John Boyer on 2000-03-23 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: John Boyer <jboyer@PureEdge.com>
Date: Thu, 23 Mar 2000 12:18:17 -0800
To: "Petteri Stenius" <Petteri.Stenius@remtec.fi>, "IETF/W3C XML-DSig WG \(E-mail\)" <w3c-ietf-xmldsig@w3.org>
Message-ID: <BFEDKCINEPLBDLODCODKEEBACCAA.jboyer@PureEdge.com>

Actually, no it isn't enough to excluded by IDREF and no we shouldn't add
more transforms.

1) Exclusion by IDREF simply means that some element given by ID was
excluded at the time of signing and is now excluded.  It is difficult to say
anything about what was the excluded element was at the time of signing.  It
would have to be excluded if and only if:

a) it's ID matched some value
b) it was in fact a SignatureValue
c) it did in fact have a certain ancestry

Otherwise, you run the risk of being able to produce documents that fool the
system at the time of signing.  And its not really that I expect such
fooling around to occur often.  I am more concerned with the attempt to
repudiation transactions based on the argument that such fooling around
'could' occur.  This is how technology disservices the relying party.

2) There should not be a proliferation of transforms that implement parts of
the XPath transform.  If you find the XPath transform useful, use it.  XPath
is sufficiently powerful to deal with any partial document needs you may
have, so there should not be a need for other means of obtaining parts of
the document.

John Boyer
Software Development Manager
PureEdge Solutions, Inc. (formerly UWI.Com)
jboyer@PureEdge.com

-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Petteri Stenius
Sent: Thursday, March 23, 2000 11:54 AM
To: IETF/W3C XML-DSig WG (E-mail)
Cc: 'Martin J. Duerst'
Subject: RE: Enveloped signatures and XPath

Yes, excluding the Signature or SignatureValue element (without using XPath)
is the main concern with enveloped signatures.

I believe it could benefit many if more transforms were added to the spec, a
generic "exclusion by IDREF" algorithm would be enough to solve enveloped
signatures.

Petteri

> -----Original Message-----
> From: Martin J. Duerst [mailto:duerst@w3.org]
> Sent: Thursday, March 23, 2000 5:11 AM
> To: Petteri Stenius; IETF/W3C XML-DSig WG (E-mail)
> Subject: Re: Enveloped signatures and XPath
>
>
> At 00/03/22 19:39 +0200, Petteri Stenius wrote:
>
>
> >The interop requirements doc reads:
> >
> >"Feature: Enveloped Signature MUST
> >         requires: XPath selector that drops SignatureValue"
> >
> >
> >I remember there was some talk about this at the FTF meeting
> in San Jose. It
> >was discussed that it could be possible to detect this
> particular XPath
> >expression without implementing the entire XPath support.
> >
> >Has anyone worked out a (standard?) XPath expression for
> excluding the
> >Signature or SignatureValue element?
>
> If that's the main concern, it may even be possible to define
> a transform that cuts out the SignatureValue element without
> using XPath at all.
>
>
> Regards,   Martin.
>

Received on Thursday, 23 March 2000 15:16:13 UTC