XML validation clarification? from Frederick J. Hirsch on 2001-01-21 (w3c-ietf-xmldsig@w3.org from January to March 2001)

From: Frederick J. Hirsch <hirsch@caveosystems.com>
Date: Sun, 21 Jan 2001 16:17:14 -0500
To: <w3c-ietf-xmldsig@w3.org>
Message-ID: <NEBBLPMKCKBLFHBJIHPCGEHHCIAA.hirsch@caveosystems.com>

I would like to clarify how XML validation works with XML Digital Signatures
(also applicable to confidentiality). [Is there a more appropriate place to
raise such a topic?]

If I have an XML document with an associated DTD or schema, I may validate that
document.
The document might be
<info>
<item>abc</item>
</info>

If I decide to sign that document I may use a detached signature or an enveloped
or enveloping signature.

If I use a detached signature I may continue to validate the document since the
signature is an independent XML document. I may also validate the signature
document, using the apropriate DTD or schema which takes into account
SignatureProperties.

I may also decide to create another XML document which includes both the
original document element and the signature element - I can validate this
combined document against a DTD or schema. This schema may refer to the original
schemas for the original document and signature (as is done in the P3P profile),
or for a DTD I may have to write a new one. Although the two documents are
together, the signature reference will refer to the independent original
document URI and not provide a fragment reference to the content in the combined
document, so it won't be really fully self-contained.
<binding>
<info>...<info>
<Signature>...<Reference URL="http://somewhere/foo.xml">..</Signature>
</binding>

If I create an enveloped signature, this means that when I sign the original XML
document the  signature element is added to the document. Thus the original
document becomes:

<info>
<item>abc</item>
<Signature>...<Reference URI="">...</Signature>
</info>

In this case the reference URI refers to the actual XML document which includes
the signature. This document will no longer validate unless the original
document DTD or schema included an optional signature definition. Namespaces
prevent name collisions but do not address the validation issue. Even if I have
a namespace aware validating parser, this parser would still need both schemas
and even then would not be able to validate this combined document - since the
individual schemas would say nothing about how the two documents are combined
(is that true?)

Is this an argument for generally using detached signatures and then defining
and creating new combination documents (as done in the P3P profile)? Is there a
free validating parser which can validate enveloped signatures?

thanks

< Frederick

Received on Sunday, 21 January 2001 16:10:13 UTC