RE: signature portability / C14N / inherited namespaces

Hi Merlin,

<merlin>
Unfortunately XPath does not successfully address the problem
of _signature_ portability. The signed info is canonicalized
directly with no transforms (for obvious reasons), so there
is no way to omit unwanted namespaces in this case.
</merlin>

Good point.  I've always been a big advocate of being able to XPath
filter the SignedInfo (with the exception that the filter itself would
be signed whether or not it was excluded by the XPath).  In fact, there
would be no need for this two step that we do of signing hashes if we
could apply an XPath to the data that will be hashed and signed by the
signer's private key.  However, the group was really afraid of any kind
of XPath filtering for quite some time, so this suggestion was pretty
much out of the question.  Too bad.

In any case, though, if filtering the SignedInfo ever is considered in a
future version of DSig, then C14N will be able to handle it.  I.e. this
doesn't change the point I made to Rob, which is that C14N is already
configurable to support the elimination of unwanted namespace nodes.

<merlin>
However, I see no alternative to simply deparenting embedded
signed documents before verification, if that does indeed work.
</merlin>

Agreed. This is what everyone figured would have to happen.

John Boyer

Received on Wednesday, 16 May 2001 17:34:31 UTC