Re: Countersignature capabilities in the current draft from merlin on 2000-11-16 (w3c-ietf-xmldsig@w3.org from October to December 2000)

From: merlin <merlin@baltimore.ie>
Date: Thu, 16 Nov 2000 09:39:52 +0000
To: Juan Carlos Cruellas <cruellas@ac.upc.es>
Cc: w3c-ietf-xmldsig@w3.org
Message-Id: <E13wLWK-0001rC-00@yog-sothoth>

r/cruellas@ac.upc.es/2000.11.15/17:14:21
>[...]

>2. Assuming that in XML this kind of behaviour should be allowed, what the
>second <Signature> would sign is the <SignatureValue> element of the first
><Signature> element. So, a <Reference> to this <SignatureValue> should appear
>within the second <Signature>, but NO Id attribute has been specified for the
><SignatureValue> element, so it seems not possible to reference it unless a
>redefinition of the <SignatureValue> element is made.

There are two approaches to this that are possible within the
current spec. One is to use transforms.

  <Signature id="signature-1" xmlns="&dsig;">
    ...
    <SignatureValue>...</SignatureValue>
    ...
    <SignatureProperty Target="#signature-1">
      <CounterSignature>
	<Signature>
	  ...
	  <Reference URI="#signature-1">
	    <Transforms>
	      <Transform Algorithm="&xpath;" xmlns:dsig="&dsig;">
		parent::dsig:SignatureValue && ...
	      </Transform>
	      <Transform Algorithm="&dsig;base64" />
	    </Transforms>
	    ...
	  </Reference>
	  ...
	</Signature>
      </CounterSignature>
    </SignatureProperty>
    ...
  </Signature>

Here, we first use an XPath to select the child text node of
the SignatureValue element and then use a Base 64 decode to
obtain the original signature bytes. Note that the XPath is
incomplete, as it stands it will select all SignatureValue
elements. An XPointer could achieve a similar result.

The alternative, and cleaner approach, is to use an implicit
reference:

  <Signature id="signature-1" xmlns="&dsig;">
    ...
    <SignatureValue>...</SignatureValue>
    ...
    <SignatureProperty Target="#signature-1">
      <CounterSignature>
	<Signature>
	  ...
	  <Reference>
	    ...
	  </Reference>
	  ...
	</Signature>
      </CounterSignature>
    </SignatureProperty>
    ...
  </Signature>

You can define that, for your application, an implicit reference
(i.e., no URI) within a CounterSignature should resolve to the
decoded signature value of the Signature that is the target of the
SignatureProperty.

Merlin

Received on Thursday, 16 November 2000 04:40:14 UTC