RE: Question on canonicalization and namespaces

Christian:

Excellent point.  As you point out, the presence of the xmlns attribute
in the Signature element in the Information Set vs the serialized version
means different things.  

If it happens to be ommited in the serialized (marshalled) XML,
that does NOT exlude it from the Information Set.  Although I agree the
ommission
would be considered a poor practice.

Regardless, the presence or absence in the serialization is irrelevant
in the context of the actual signature since the Signature element is not
actually
hashed, only the canonical version of the SignedInfo is subject to the
crypto.

Thanks for making me realize that my question was one primarily of style and
not
cryptographic significance!

-Terence


> -----Original Message-----
> From: Christian Geuer-Pollmann
> [mailto:geuer-pollmann@nue.et-inf.uni-siegen.de]
> Sent: Monday, September 30, 2002 10:55 AM
> To: Spielman, Terence; 'w3c-ietf-xmldsig@w3.org'
> Cc: 'reagle@w3.org'
> Subject: RE: Question on canonicalization and namespaces
> 
> 
> 
> 
> --On Monday, September 30, 2002 8:05 AM -0700 "Spielman, Terence" 
> <TSpielma@inovant.com> wrote:
> 
> >
> > Sorry to revive a dead topic, but it's been pointed out to me
> > that the answer I received on this list might be erroneous.
> >
> >> > If anyone could quickly answer the following yes/no questions as
> >> > well, I would appreciate it.  Based on my readings of the specs
> >> > (XML, Namespaces, XMLDSIG), my answers are in square brackets.
> >> >
> >> > 1) Is it required that the Signature element have a namespace
> >> >    node with a value of "http://www.w3.org/2000/09/xmldsig#"?
> >> >    [No if the XML need only be well-formed and Yes otherwise]
> >>
> >> Yes. The Signature element must be bound to that namespace.
> >> This can look
> >> like this:
> >>
> >> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" 
> >...</Signature>
> >>
> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> >> > ...</ds:Signature>
> >>
> >> or even
> >>
> >> <doc xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >>    <ds:Signature>....</ds:Signature>
> >> </doc>
> >>
> >> In the latter case, there is no DOM node (no 'Attribute') in the
> >> ds:Signature element, but the namespace is in scope.
> >>
> >
> > I understand both of these example, in which the namespace is
> > eitehr explicitly declared in the Signature element or inherited,
> > but the XML DSIG DTD states the following:
> >
> >    <!ATTLIST Signature
> >     xmlns   CDATA   #FIXED 'http://www.w3.org/2000/09/xmldsig#'
> >     Id      ID  #IMPLIED >
> >
> > And #FIXED means that if the xmlns is omitted, it will take 
> the value of
> > specified above.  This would lead me to believe that the 
> xmlns attribute
> > does NOT explicitly need to be included or inherited.  
> Although this does
> > disturb me.  Can anyone set me straight?
> >
> > Thanks!
> > Terence
> 
> I guess that there is a bit confusion between the XML 
> Information Set and 
> the serialized form of XML: Given a document which does *not* 
> explicitly 
> specify the xmlns="http://www.w3.org/2000/09/xmldsig#" in a 
> <Signature> 
> element. If you parse this document, the namespace NODE *is* 
> there, even if 
> you don't see it in the serialized form (which is only 
> octets). But the 
> node (in the XPath data model) MUST be there.
> 
> My personal opinion is that it's a bad idea to omit namespace 
> declarations 
> from an XML instance and to hope that the gaps are filled by 
> a validating 
> parser. Omitting things (like default attributes) and then creating 
> signatures is not that nice, because a signature should be 
> explicit on what 
> was signed.
> 
> The DTD above is included in the dsig spec as during the 
> creation of this 
> spec, schemas were not fully finished.
> 
> Christian
>

Received on Monday, 30 September 2002 13:16:49 UTC