- From: Martin Labarthe Dubois <dubois@consist.com.ar>
- Date: Fri, 10 Jun 2005 18:50:34 -0300
- To: <w3c-ietf-xmldsig@w3.org>
- Message-ID: <028401c56e06$6e32cf90$3c0201c0@consist.com.ar>
responding to myself, according to: http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel 4.3.3.2 The Reference Processing Model The Transforms specified in this document are defined with respect to the input they require. The following is the default signature application behavior: If the data object is an octet stream and the next transform requires a node-set, the signature application MUST attempt to parse the octets yielding the required node-set via [XML] well-formed processing. If the data object is a node-set and the next transform requires octets, the signature application MUST attempt to convert the node-set to an octet stream using Canonical XML [XML-C14N]. as the data object is a node-set they application must convert to octet using c14n. and the reference used is URI="#chapter1" Identifies a node-set containing the element with ID attribute value 'chapter1' of the XML resource containing the signature. XML Signature (and its applications) modify this node-set to include the element plus all descendents including namespaces and attributes -- but not comments. but we donīt have a next transformation here... we assume that the next transformation is the digest itself, so we apply it anyways? Martin ----- Original Message ----- From: Martin Labarthe Dubois To: w3c-ietf-xmldsig@w3.org Sent: Thursday, June 09, 2005 2:11 PM Subject: verification anomaly Hello, must be applied c14n transformation by default to the referenced areas? ------------------------------------------------------------------------------ I have signed the same document twice, one of the documents is verified as valid with the IBM XML security suit and the other is invalid according to the same suit. But if you look at the document reference <Reference URI="#T33F4"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>kh+fjTciEttBSDaWYFeVw97kGRg=</DigestValue> </Reference> you can see that no transformation is applied, in particular not c14n. and the diference betwen the two documents is than in the valid one the referenced area is c14n transformed and in the invalid document no transformation is applied to the referenced area before calculating the referenced area digest. they only change that the transformation makes in this case is eliminate one white space where it says: <Documento ID="T33F4"> (you have two whitespaces beten Docmento and ID) after applying c14n is removed. The question is shouldnīt be the opposite? If no transformation is mentioned in the reference are, why apply c14n? or c14n must be applied as default? Thanks in advance, Martin
Received on Friday, 10 June 2005 21:50:07 UTC