W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2001

Re: signature portability / C14N / inherited namespaces

From: merlin <merlin@baltimore.ie>
Date: Wed, 16 May 2001 22:19:03 +0100
To: "John Boyer" <JBoyer@PureEdge.com>
Cc: "Rob Lugt" <roblugt@elcel.com>, reagle@w3.org, w3c-ietf-xmldsig@w3.org
Message-Id: <20010516211903.92A5F44C69@yog-sothoth.ie.baltimore.com>
r/JBoyer@PureEdge.com/2001.05.16/11:22:33
>[...]
>Actually, it does not.  
>
>"will be rendered to the canonical form with namespace declarations that
>***may*** have been made in its omitted ancestors, thus preserving the
>meaning of the element."
>
>The intent of the sentence is only to communicate that when you c14n
>(and subsequently sign) an element within a document (or any doc subset)
>rather than the whole document, then the doc-subset may contain
>namespaces from ancestors even if you've omitted the ancestor elements
>themselves.  However, if your XPath expression explicitly omits certain
>namespace nodes (possibly indirectly, by only keeping namespace nodes
>meeting a specific criterion), then they are omitted. See the Namespace
>Axis processing method in the Processing Model (Section 2.3).  A
>namespace node is processed if it is in the axis AND in the node-set.

Unfortunately XPath does not successfully address the problem
of _signature_ portability. The signed info is canonicalized
directly with no transforms (for obvious reasons), so there
is no way to omit unwanted namespaces in this case.

However, I see no alternative to simply deparenting embedded
signed documents before verification, if that does indeed work.

Merlin


-----------------------------------------------------------------------------
Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
   http://www.baltimore.com
Received on Wednesday, 16 May 2001 17:20:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:04 UTC