Re: Enveloped Signature Transform

> <test:a ...>
>   ...
>   <ds:Signature ... >...</ds:Signature> <!-- first signature refers to
> test:a -->    <ds:Signature ... >...</ds:Signature> <!-- second signature
> refers also to test:a -->  </test:a>
> Both of these signatures contain enveloped transform and refer to the
> same "test:a" element.  According to the specification the first
> signature should sign the second one and the second one should sign the
> first.  The same problem arise during verification phase. Is there any
> reccomendation for this case?

>>When you add sig1 to the document, you sign the document (which does 
>>include sig1 and the data) and exclude sig1. Then you add sig2 which signs 
>>the document (data + sig1 + sig2) and then exclude sig2;

>>Verification of sig2 will work ok, but verification of sig1 fails: You 
>>verify the document (data + sig1 + sig2) and exclude sig1. So you verify 
>>(data + sig2) which was not signed (only data was signed).

>>Solution: Use an XPath which omits all Signature, not only the current one.
The XPath is only for the first ds:Signature??. If yes, there are no problem for verification 
of the first ds:Signature, after adding other ds:Signature, but for the second ds:Signature?
The second ds:Signature signs also the first, but after adding other ds:Signature, the verification fails
Solution: For each ds:Signature use an XPath omits all ds:Signature added after.
But it really exists an XPath for this problem??
Mauro Arcolini,

Received on Thursday, 7 February 2002 05:35:39 UTC