RE: <ds:Signature/> and <Signature/> from Christian Geuer-Pollmann on 2006-06-15 (w3c-ietf-xmldsig@w3.org from April to June 2006)

From: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
Date: Thu, 15 Jun 2006 11:00:13 +0100
To: <Hothi_Amrit@emc.com>, <aleksey@aleksey.com>
Cc: <larry.bugbee@boeing.com>, <tgindin@us.ibm.com>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <27BECCCFEF79F244903746AC07CDA4CB0547FB0E@EUR-MSG-20.europe.corp.microsoft.com>

Folks, two short comments:

<Reference> and <Reference URI=""> are DIFFERENT. The latter one is a
same-document URI (whole document excluding comment nodes), while
<Reference> is a fragile one where the implementation must know what
actually is signed. I highly recommend not to do these things, because
it's really messy. This <Reference> thing is why I wrote the
NullURIReferenceResolver. In addition, you can only use one Reference
per SignedInfo or Manifest that uses this crude feature. So it is NOT a
bug in the Apache XML Security implementation. 

The second comment is regarding "why are the SignatureValues different
when I use the same RSA key?": The point is that signing <ds:SignedInfo
xmlns:ds="...">...</ds:SignedInfo> yields to a different SignatureValue
than signing <SignedInfo xmlns="...">...</SignedInfo>. If you want to
generate the non-prefixed stuff with Apache XML Security, there is a
switch where you can specify the preferred prefix for the signature
namespace:

org.apache.xml.security.utils.Constants.setSignatureSpecNSprefix("");

After that, recreate the signature...

Greets,
C.
 

-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of
Hothi_Amrit@emc.com
Sent: Mittwoch, 14. Juni 2006 20:40
To: aleksey@aleksey.com
Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org
Subject: RE: <ds:Signature/> and <Signature/>


I'm not sure it's a bug. If the URI is missing, there has to be some way
to know the identity of the signed object and that's where the
NullURIReferenceResolver comes in.

Amrit. 

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey@aleksey.com]
Sent: Wednesday, June 14, 2006 11:13 AM
To: Hothi, Amrit
Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org
Subject: Re: <ds:Signature/> and <Signature/>


> 
> When Java tries to process the C signature it expects the URI to be
there.
> If not it will throw an exception.

You might want to file a bug report against apache. The URI attribute is
optional according to the spec:

http://www.w3.org/TR/xmldsig-core/#sec-Reference

Best,
Aleksey Sanin

Received on Thursday, 15 June 2006 10:00:21 UTC