XML Signature - Request for clarification [Virus checked] from Marcus.Ertel@Extern.Sparkassen-Informatik.de on 2007-08-06 (w3c-ietf-xmldsig@w3.org from July to September 2007)

From: <Marcus.Ertel@Extern.Sparkassen-Informatik.de>
Date: Mon, 6 Aug 2007 14:26:18 +0200
To: public-xmlsec-maintwg@w3.org
Cc: w3c-ietf-xmldsig@w3.org, Konrad.Lanz@iaik.tugraz.ac.at, m.ertel@gmx.com, Heiko.Dittmann@Sparkassen-Informatik.de
Message-ID: <OFF57D905C.076F3FE8-ONC125732F.0043CE48-C125732F.00445412@sparkassen-informatik>

Ladies and Gentlemen:

Let me start with a brief introduction of the issue that makes me ask for 
a clarification from your side.
My name is Marcus Ertel and I am with "Sparkassen Informatik", one of the 
biggest IT service providers in Germany. We are currently busy introducing 
the new money transfer standard EBICS (Electronic Banking Internet 
Communication Standard; please see <
http://www.ebics-zka.de/english/spec/specification_en.htm>) which relies 
heavily on XML and particularly XML Signature.

The various implementations of EBICS raised a discussion concerning the 
handling of the Reference URI in the SignedInfo element of an XML 
signature. The issue is, quite briefly, as follows:

The XML data of an EBICS message contain a <SignedInfo> element with a 
<Reference URI> that contains an XPointer:

        <Reference URI="#xpointer(//*[@authenticate='true'])">

Now there's an ongoing discussion about the handling of this URI before 
the calculation of the XML Signature. One opinion is as follows: 
In order to obtain a valid, RFC 2396 compliant URI, parts of the Reference 
URI have to be escaped properly. Hence, the URI fed into the signature 
process is as follows: 

<Reference URI="#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)">

On the other hand, there is quite the opposite opinion. Its proponents say 
that no escaping at all is necessary, because the URI consists of just an 
XPointer. And as all the candidates for escaping are parts of this 
XPointer, they do not infringe the requirements of RFC 2396. 

Could you please kindly advise on how to process this special URI? We need 
this clarification because there are ISV's providing the German banking 
software market with these two implementations of the XML Signature 
standard. This in turn leads to products unable to cope with each other 
while all of them claim to be compliant with the XML Signature standard.

Thank you very much in advance and best regards from Munich

Marcus Ertel, Sparkassen Informatik

Sparkassen Informatik GmbH & Co.KG
Richard-Reitzner-Allee 8
85540 München / Haar

_____________________________________________________________________

Sparkassen Informatik GmbH & Co. KG, Theodor-Heuss-Allee 90, D 60486 
Frankfurt a.M.
Amtsgericht Frankfurt a.M. HRA 30059; Aufsichtsratsvorsitzender: Dr. Rolf 
Gerlach; Persönlich haftende Gesellschafterin: Sparkassen Informatik 
Verwaltungsgesellschaft mbH, Sitz: Frankfurt a.M., Amtsgericht Frankfurt 
a.M. HRB 52289, Geschäftsführer: Fridolin Neumann (Vorsitzender), 
Franz-Theo Brockhoff (stv. Vorsitzender), Werner Brunner (stv. 
Vorsitzender), Uwe Katzenburg (stv. Vorsitzender), Willi Bär, Harald Lux; 
Internet: http://www.sparkassen-informatik.de, E-Mail: 
kontakt@sparkassen-informatik.de

Received on Monday, 6 August 2007 16:02:37 UTC