W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2001

Re: signature portability / C14N / inherited namespaces

From: merlin <merlin@baltimore.ie>
Date: Wed, 16 May 2001 22:19:03 +0100
To: "John Boyer" <JBoyer@PureEdge.com>
Cc: "Rob Lugt" <roblugt@elcel.com>, reagle@w3.org, w3c-ietf-xmldsig@w3.org
Message-Id: <20010516211903.92A5F44C69@yog-sothoth.ie.baltimore.com>
>Actually, it does not.  
>"will be rendered to the canonical form with namespace declarations that
>***may*** have been made in its omitted ancestors, thus preserving the
>meaning of the element."
>The intent of the sentence is only to communicate that when you c14n
>(and subsequently sign) an element within a document (or any doc subset)
>rather than the whole document, then the doc-subset may contain
>namespaces from ancestors even if you've omitted the ancestor elements
>themselves.  However, if your XPath expression explicitly omits certain
>namespace nodes (possibly indirectly, by only keeping namespace nodes
>meeting a specific criterion), then they are omitted. See the Namespace
>Axis processing method in the Processing Model (Section 2.3).  A
>namespace node is processed if it is in the axis AND in the node-set.

Unfortunately XPath does not successfully address the problem
of _signature_ portability. The signed info is canonicalized
directly with no transforms (for obvious reasons), so there
is no way to omit unwanted namespaces in this case.

However, I see no alternative to simply deparenting embedded
signed documents before verification, if that does indeed work.


Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
Received on Wednesday, 16 May 2001 17:20:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:04 UTC