- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Sun, 29 Jul 2007 17:36:51 +0200
- To: "Christian Geuer-Pollmann" <Christian.Geuer-Pollmann@microsoft.com>, <w3c-ietf-xmldsig@w3.org>
Hi Christian, Thank You very much! I have digged a bit into this during the vacation [:-(] and I think this is perfect. br ar ----- Original Message ----- From: Christian Geuer-Pollmann To: Anders Rundgren ; w3c-ietf-xmldsig@w3.org Sent: Friday, July 27, 2007 18:47 Subject: RE: Xpath filter2 newbe question This is a quick shoo from the hip without running it in an implementation, but I would try this: <RootToBeSigned_ByAll ID="O.54434343"> <StuffToBeSigned_ByAll/> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something"> <ds:Signature> <ds:SignedInfo> <dsig:Reference URI=""> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> <dsig-xpath:XPath Filter="subtract"> /RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly </dsig-xpath:XPath> <dsig-xpath:XPath Filter="union"> /RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly[@Attrib="something"] </dsig-xpath:XPath> </dsig:Transform> </dsig:Transforms> <dsig:Transforms Algorithm=".#enveloped-signature"> ... </dsig:Reference> ... </ds:SignedInfo> ... </ds:Signature> </RepeatedElemToBeSigned> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something_else"> <dsSignature 2... </RepeatedElemToBeSigned> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="..."> <dsSignature n... </RepeatedElemToBeSigned> </RootToBeSigned_ByAll> 1: You select all nodes in the document URI="" (well, except the commens J) 2: You subtract all the //RepeatedElemToBeSigned_ByChildSignatureOnly ones 3: You re-include the one you care about. And if you don't make in an arbitrary Attrib but type ID, then you simply <union>#foo</union> And if you want, you may move the #enveloped-signature also into the XPath2. <dsig-xpath:XPath Filter="subtract"> RootToBeSigned_ByAll/RepeatedElemToBeSigned_ByChildSignatureOnly[@Attrib="something"]/ds:Signature </dsig-xpath:XPath> Best regards, Christian --- Dr.-Ing. Christian Geuer-Pollmann Lead Software Design Engineer Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066 http://www.microsoft.com/emic/ -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Anders Rundgren Sent: Montag, 23. Juli 2007 11:03 To: w3c-ietf-xmldsig@w3.org Subject: Xpath filter2 newbe question Hi, Here is an example of a document that is signed by a number of peers (that should not sign over the others). I wonder if anybody has an idea of how an XPath filter2 could be designed in order to support this? It is probably trivial but not for me :-( I would like to avoid multiple References in each Signature as well as adding IDs to RepeatedElemToBeSigned_ByChildSignatureOnly. If possible that is... <RootToBeSigned_ByAll ID="O.54434343"> <StuffToBeSigned_ByAll/> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something"> <ds:Signature 1... </RepeatedElemToBeSigned> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="something_else"> <dsSignature 2... </RepeatedElemToBeSigned> <RepeatedElemToBeSigned_ByChildSignatureOnly Attrib="..."> <dsSignature n... </RepeatedElemToBeSigned> </RootToBeSigned_ByAll> Regards Anders Rungren
Received on Sunday, 29 July 2007 15:37:10 UTC