- From: John Boyer <JBoyer@PureEdge.com>
- Date: Wed, 16 May 2001 14:31:53 -0700
- To: "merlin" <merlin@baltimore.ie>
- Cc: "Rob Lugt" <roblugt@elcel.com>, <reagle@w3.org>, <w3c-ietf-xmldsig@w3.org>
Hi Merlin, <merlin> Unfortunately XPath does not successfully address the problem of _signature_ portability. The signed info is canonicalized directly with no transforms (for obvious reasons), so there is no way to omit unwanted namespaces in this case. </merlin> Good point. I've always been a big advocate of being able to XPath filter the SignedInfo (with the exception that the filter itself would be signed whether or not it was excluded by the XPath). In fact, there would be no need for this two step that we do of signing hashes if we could apply an XPath to the data that will be hashed and signed by the signer's private key. However, the group was really afraid of any kind of XPath filtering for quite some time, so this suggestion was pretty much out of the question. Too bad. In any case, though, if filtering the SignedInfo ever is considered in a future version of DSig, then C14N will be able to handle it. I.e. this doesn't change the point I made to Rob, which is that C14N is already configurable to support the elimination of unwanted namespace nodes. <merlin> However, I see no alternative to simply deparenting embedded signed documents before verification, if that does indeed work. </merlin> Agreed. This is what everyone figured would have to happen. John Boyer
Received on Wednesday, 16 May 2001 17:34:31 UTC