Re: enveloped-signature algorithm

At 16:45 2000-07-07 -0700, Kevin Regan wrote:
 >Is it necessary to have the:
 >algorithm?  Can't this simply be implied?  When would you
 >not want to exclude the enveloped Signature element from
 >the canonicalization step?  It seems like additional
 >complexity that is not really needed.
It isn't necessary for external or enveloped Signatures. Having it implied
buys little but potential ambiguity. Consider the behavior of a
canonicalization algorithm where this is implied and one is dealing with
nested enveloped/enveloping Signatures. John's approach of distinguishing
between evaluating-expressions-as-transforms, such as Signature's enveloping

   <XPath xmlns:dsig="&dsig;">
   (//. | //@* | //namespace::*)
   count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >

or canonicalization's internal/default:

        (//. | //@* | //namespace::*)[not(self::comment())] )

and actual node-set ordering to UTF-8 conversion is quite slick IMHO.

Joseph Reagle Jr.   
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair

Received on Friday, 7 July 2000 21:47:11 UTC