- From: Spielman, Terence <TSpielma@inovant.com>
- Date: Thu, 6 Jun 2002 07:37:21 -0700
- To: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
- Cc: "Spielman, Terence" <TSpielma@inovant.com>
Greetings! I was hoping someone could help me with some authoritative and conclusive spec references on a subtle point within XMLDSIG and C14N. In particular, I am having some problems understanding what the root context of canonicalization is. During the XML DSIG process the SignedInfo element is actually the element that gets canonicalized and serialzied for signature processing. It is this canonicalization and serialization that I have some questions about. When the SignedInfo element is presented to the canonicalizer, let us assume that it exists in a default namespace of "http://www.w3.org/2000/09/xmldsig#". The question is, does this get serialized as an xmlns attribute IN THE SIGNEDINFO? Obviously the 2 posible answers are yes and no, but in addition to knowing the correct answer, I'd like to know why (and possibly when). One posible interpretation is that upon entry into the canonicalizer, the element being canonicallized is considered a root element and must serialize all explicit or inherited namespace attributes. This would render an answer to the above question of "Yes, the namespace attribute is present in the serialized version of the SignedInfo". Another possible interpretation is that the NodeSet passed into the canonicalizer is rooted at an ancestor or the entire XML document. In this case, the presence of the namespace attribute in the serialized version of the SignedInfo element is dependent on whether the name space attribute was in the parent Signature element. If the namespace attribute was in the Signature element, then it would NOT be serialized in the SignedInfo during canonicalization. Can anyone tell me which of these intrepretations is correct, if any, and produce a conclusive spec reference? I look forward to replies, Terence Spielman P.S. Some related questions: Is it required for implementations of XMLDISG to list the xmldsig namespace in the Signature element or an ancestor? For example, which of the following is legal? And in the legal cases, what namespace attributes will get serialized in the canonical version of the SignedInfo? Case 1 (I'm sure this is legal, but what is the correct canonical format of SignedInfo?) ... <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo>... ... </Signature> Case 2 ... <SomeElement xmlns="http://foo.com/#bar" xmlns:dsig="www.w3.org/2000/09/xmldsig#"> .... <dsig:Signature> <dsig:SignedInfo> ... </dsig:SignedInfo> </dsig:Signature> ... </SomeElement> Case 3 ... // No namespace declared for xmldsig anywhere in document <Signature> <SignedInfo>... </SignedInfo> </Signature>
Received on Thursday, 6 June 2002 10:37:36 UTC