- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Wed, 16 Nov 2005 17:01:25 +0100 (MET)
- To: mikemci@us.ibm.com
- Cc: w3c-ietf-xmldsig@w3.org, w3c-ietf-xmldsig-request@w3.org
Mike, It is not binding to the schema that is the problem. It is *using* the schema in the canonicalization process. This is AFAIK currently not supported by XML DSig standards. Well, you may use a reduced schema that does not alter instance data after validation. thanx, Anders ----Original Message---- From: mikemci@us.ibm.com Date: Nov 16, 2005 4:30:36 PM To: Josseline <anders.rundgren@telia.com> Cc: w3c-ietf-xmldsig@w3.org, w3c-ietf-xmldsig-request@w3.org Subj: Re: Schema centric canonicalization - Need and status Why not just provide a single ds:Signature using standard canonicalization with one ds:Reference to the XML document and one ds:Reference to the Schema document? Binds the document to the schema and therefore the schema provided content. Josseline <anders.rundgren@telia.com> Sent by: w3c-ietf-xmldsig-request@w3.org 11/16/2005 10:17 AM Please respond to Josseline To w3c-ietf-xmldsig@w3.org cc Subject Schema centric canonicalization - Need and status Hi, I'm working with standard for "Web Signing" [*]. In this work XML Schemas has been used extensively and together with XML DSig. However, it seems that not even exclusive canonicalization is really fit for the task as it is not designed for schema-defined instance documents. At least default attributes seems to break the current canonicalization algorithms. Essentially I have two options. Cripple schemas or invent a new algorithm. None of these alternatives appear very tempting but I'm leaning towards the latter as the "patch" needed is fairly small. Comments? Anders Rundgren *] The ability to in a browser sign a transation request or a static document, presented by a service provider.
Received on Wednesday, 16 November 2005 16:23:27 UTC