RE: <ds:Signature/> and <Signature/>

As said below: You should not use it in the first place! 

I just wrote it to show that my implementation supports everything
mentioned in the XML Signature spec. This resolver can be filled by the
application before signature validation, so that when the
Manifest/SignedInfo asks "who can resolve References without URI?", this
thing steps up and says "I have the contents to be signed/validated". 

Christian

-----Original Message-----
From: Hothi_Amrit@emc.com [mailto:Hothi_Amrit@emc.com] 
Sent: Donnerstag, 15. Juni 2006 19:18
To: Christian Geuer-Pollmann; Hothi_Amrit@emc.com; aleksey@aleksey.com
Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org
Subject: RE: <ds:Signature/> and <Signature/>

Christian,

 One thing I found is that there is very little documentation on
NullURIReferenceResolver.  Although, there is some sample code around,
not much documentation as to when and how you should use this resolver.

Cheers,
Amrit.


 
-----Original Message-----
From: Christian Geuer-Pollmann
[mailto:Christian.Geuer-Pollmann@microsoft.com]
Sent: Thursday, June 15, 2006 3:00 AM
To: Hothi_Amrit@emc.com; aleksey@aleksey.com
Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org
Subject: RE: <ds:Signature/> and <Signature/>


Folks, two short comments:

<Reference> and <Reference URI=""> are DIFFERENT. The latter one is a
same-document URI (whole document excluding comment nodes), while
<Reference> is a fragile one where the implementation must know what
actually is signed. I highly recommend not to do these things, because
it's really messy. This <Reference> thing is why I wrote the
NullURIReferenceResolver. In addition, you can only use one Reference
per SignedInfo or Manifest that uses this crude feature. So it is NOT a
bug in the Apache XML Security implementation. 

The second comment is regarding "why are the SignatureValues different
when I use the same RSA key?": The point is that signing <ds:SignedInfo
xmlns:ds="...">...</ds:SignedInfo> yields to a different SignatureValue
than signing <SignedInfo xmlns="...">...</SignedInfo>. If you want to
generate the non-prefixed stuff with Apache XML Security, there is a
switch where you can specify the preferred prefix for the signature
namespace:

org.apache.xml.security.utils.Constants.setSignatureSpecNSprefix("");

After that, recreate the signature...

Greets,
C.
 

-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of
Hothi_Amrit@emc.com
Sent: Mittwoch, 14. Juni 2006 20:40
To: aleksey@aleksey.com
Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org
Subject: RE: <ds:Signature/> and <Signature/>


I'm not sure it's a bug. If the URI is missing, there has to be some way
to know the identity of the signed object and that's where the
NullURIReferenceResolver comes in.

Amrit. 

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey@aleksey.com]
Sent: Wednesday, June 14, 2006 11:13 AM
To: Hothi, Amrit
Cc: larry.bugbee@boeing.com; tgindin@us.ibm.com; w3c-ietf-xmldsig@w3.org
Subject: Re: <ds:Signature/> and <Signature/>


> 
> When Java tries to process the C signature it expects the URI to be
there.
> If not it will throw an exception.

You might want to file a bug report against apache. The URI attribute is
optional according to the spec:

http://www.w3.org/TR/xmldsig-core/#sec-Reference

Best,
Aleksey Sanin

Received on Thursday, 15 June 2006 18:56:20 UTC