Problem with merlin-xmldsig-sixteen/signature.xml from Christian Geuer-Pollmann on 2001-10-04 (w3c-ietf-xmldsig@w3.org from October to December 2001)

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Thu, 04 Oct 2001 21:23:24 +0200
To: merlin <merlin@baltimore.ie>
Cc: reagle@w3.org, w3c-ietf-xmldsig@w3.org
Message-id: <1503224189.1002230604@pinkpanther>

Hi Merlin,

I have a question about your sample signature from 
merlin-xmldsig-sixteen/signature.xml: I can verify _all_ References but not 
the one with URI="#xpointer(id('object-3'))" and no Transforms:

In the file, there was this snippet:

<Reference Type="http://www.w3.org/2000/09/xmldsig#Object" 
URI="#xpointer(id('object-3'))">
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>0aW4L0GoFzYUo4gyZSfoyZBhpuc=</DigestValue>
</Reference>

After dereferencing the XPointer URI with _my_ implementation, all comment 
nodes are available in the input. Is this right? What I found in the spec 
was these two code snippets:

4.3.3.2 The Reference Processing Model
  We RECOMMEND support for the same-document XPointers '#xpointer(/)'
  and '#xpointer(id('ID'))' if the application also intends to support
  any canonicalization that preserves comments.

4.3.3.3 Same-Document URI-References
  To retain comments while selecting an element by an identifier ID,
  use the following full XPointer: URI='#xpointer(id('ID'))'.

What I understood from this was that de-referncing an XPointer URI means 
that Comments are available before I feed the input to my (possibly 
defined) transforms (otherwise, it would not make sense to use a 
c14n#WithComments because they have been already stripped away before this 
transform can take place).

Is there a mistake in the example or do I misunderstand the spec? From what 
I see, it should be something like this (cryptographically correct values):

<!-- If we want comments; we don't have to do something because they are 
there -->
<Reference Type="http://www.w3.org/2000/09/xmldsig#Object"
           URI="#xpointer(id('object-3'))">
  <DigestMethod
           Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>1puYWb36Z5TIDmEIVd/JLR3iD8Y=</DigestValue>
</Reference>

<!-- If we want no comments, so we have to kick them away -->
<Reference Type="http://www.w3.org/2000/09/xmldsig#Object"
           URI="#xpointer(id('object-3'))">
  <Transforms>
    <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" 
/>
  </Transforms>
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>0aW4L0GoFzYUo4gyZSfoyZBhpuc=</DigestValue>
</Reference>


Best regards,
Christian

Received on Thursday, 4 October 2001 15:21:20 UTC