- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Fri, 07 Jul 2000 21:45:51 -0400
- To: Kevin Regan <kevinr@valicert.com>
- Cc: w3c-ietf-xmldsig@w3.org
At 16:45 2000-07-07 -0700, Kevin Regan wrote:
>
>Is it necessary to have the:
>
>http://www.w3.org/2000/02/xmldsig#enveloping-signature
>
>algorithm? Can't this simply be implied? When would you
>not want to exclude the enveloped Signature element from
>the canonicalization step? It seems like additional
>complexity that is not really needed.
It isn't necessary for external or enveloped Signatures. Having it implied
buys little but potential ambiguity. Consider the behavior of a
canonicalization algorithm where this is implied and one is dealing with
nested enveloped/enveloping Signatures. John's approach of distinguishing
between evaluating-expressions-as-transforms, such as Signature's enveloping
signature:
<XPath xmlns:dsig="&dsig;">
(//. | //@* | //namespace::*)
[
count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
count(ancestor-or-self::dsig:Signature)
]
</XPath>
or canonicalization's internal/default:
(//. | //@* | //namespace::*)[not(self::comment())] )
and actual node-set ordering to UTF-8 conversion is quite slick IMHO.
_________________________________________________________
Joseph Reagle Jr.
W3C Policy Analyst mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Friday, 7 July 2000 21:47:11 UTC