- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Tue, 30 Apr 2002 10:28:54 +0200
- To: Gregor Karlinger <gregor.karlinger@iaik.at>, XMLSigWG <w3c-ietf-xmldsig@w3.org>
Hi Gregor, I would say that this sequence is ILLEGAL and/or simply does not work because c14n trashes the here() context and is therefore not allowed. XPath or enveloped-signature requires re-parsing and then here() is evaluated against a different document. Apache impl throws exception in that case... Regards, Christian --On Dienstag, 30. April 2002 09:33 +0200 Gregor Karlinger <gregor.karlinger@iaik.at> wrote: > Recently I had a discussion with a customer regarding > the legality of an XML signature bearing a reference > that has the following structure (which does not make > sense at all, but should demonstrate the problem): > > 1. The URI attribute contains the empty string ""; > 2. The first transform is a C14N transform; > 3. The second transform is an enveloped sig. tf. > > I argued that such a signature is not legal regarding > the processing model of XMLDSIG, since it is impossible > to cut out the signature from a node set which, due > to the intermediate C14N transform, does not represent > the original XML document bearing the XML signature. > > A similar problem occurs, if the env. sig. tf. is re- > placed by an XPath transform using the here() function. > > Any opinions? > > Regards, Gregor >
Received on Tuesday, 30 April 2002 04:25:09 UTC