Question on canonicalization and namespaces from Spielman, Terence on 2002-06-06 (w3c-ietf-xmldsig@w3.org from April to June 2002)

From: Spielman, Terence <TSpielma@inovant.com>
Date: Thu, 6 Jun 2002 07:37:21 -0700
To: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
Cc: "Spielman, Terence" <TSpielma@inovant.com>
Message-Id: <A38C0F5A6E195C48AC2C93BEC33EF83D54FC59@sw745x043.visa.com>

Greetings!

I was hoping someone could help me with some authoritative and
conclusive spec references on a subtle point within XMLDSIG and C14N.

In particular, I am having some problems understanding what the
root context of canonicalization is.

During the XML DSIG process the SignedInfo element is actually
the element that gets canonicalized and serialzied for signature
processing.  It is this canonicalization and serialization that
I have some questions about.

When the SignedInfo element is presented to the canonicalizer,
let us assume that it exists in a default namespace of
"http://www.w3.org/2000/09/xmldsig#".

The question is, does this get serialized as an xmlns attribute
IN THE SIGNEDINFO?  Obviously the 2 posible answers are yes and
no, but in addition to knowing the correct answer, I'd like to
know why (and possibly when).

One posible interpretation is that upon entry into the canonicalizer,
the element being canonicallized is considered a root element and
must serialize all explicit or inherited namespace attributes. This
would render an answer to the above question of "Yes, the namespace
attribute is present in the serialized version of the SignedInfo".

Another possible interpretation is that the NodeSet passed into
the canonicalizer is rooted at an ancestor or the entire XML
document.  In this case, the presence of the namespace attribute
in the serialized version of the SignedInfo element is dependent
on whether the name space attribute was in the parent Signature
element.  If the namespace attribute was in the Signature element, then
it would NOT be serialized in the SignedInfo during canonicalization.

Can anyone tell me which of these intrepretations is correct, if any,
and produce a conclusive spec reference?

I look forward to replies,
Terence Spielman

P.S.  Some related questions:
Is it required for implementations of XMLDISG to list the xmldsig
namespace in the Signature element or an ancestor?  For example, which
of the following is legal?  And in the legal cases, what namespace
attributes will get serialized in the canonical version of the 
SignedInfo?

Case 1 (I'm sure this is legal, but what is the correct canonical
        format of SignedInfo?)
   ...
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
     <SignedInfo>...
     ...
   </Signature>
   
Case 2
   ...
   <SomeElement xmlns="http://foo.com/#bar"
		xmlns:dsig="www.w3.org/2000/09/xmldsig#">
   ....
     <dsig:Signature>
       <dsig:SignedInfo>
       ...
       </dsig:SignedInfo>
      </dsig:Signature>
    ...
    </SomeElement>

Case 3
   ... // No namespace declared for xmldsig anywhere in document
   <Signature>
     <SignedInfo>...
     </SignedInfo>
   </Signature>

Received on Thursday, 6 June 2002 10:37:36 UTC