OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss] Namespace inheritance, other approach


Konrad,

I'm still not sure I grasp all your points.  Let me try a concrete 
proposal.  Tell me if there's problems with this -


Proposal
---------
We add a <NamespaceContext> XML element for use in passing XML input 
documents and signatures.  This specifies namespace prefixes that are 
part of the original context of the <ds:Signature> or Input Document. 
It MUST contain all such namespace prefixes that are not declared within 
the <ds:Signature> or Input Document.

The <ds:Signature> and Input Document still need to declare any 
namespace prefixes they use.  If they fail to do so, the server shall 
return an error (not for security reasons, but to help detect 
client-side mistakes).  It's unnecessary (but ok) for a namespace prefix 
that is declared and used in the signature/input document to also be in 
the <NamespaceContext>.

The <NamespaceContext> supplies the missing context that is needed for 
canonicalization.  It would look like:

<SignatureObject>
   <NamespaceContext>
     <Namespace prefix="sxs" value="urn:..."/>
     <Namespace prefix="wsp" value="http://..."/>
   </NamespaceContext>
   <ds:Signature>
   </ds:Signature>
</SignatureObject>

<Document>
   <NamespaceContext>
     <Namespace prefix="sxs" value="urn:..."/>
     <Namespace prefix="wsp" value="http://..."/>
   </NamespaceContext>
   <XMLData>
   </XMLData>
</Document>

To convert the Input Document or the <ds:Signature>/<SignedInfo> to 
Canonical XML, as is necessary during signature creation and validation, 
the server applies Exclusive Canonicalization.  The namespace prefixes 
from <NamespaceContext> are passed to the Exclusive Canonicalization 
algorithm as an "InclusiveNamespacesPrefixList".

If my understanding of Canonical and Exclusive Canonical XML is correct, 
the result will not include the DSS protocol namespace context (since 
Exclusive Canonicalization omits surrounding context) but it will 
include the original namespace context specified as an 
InclusiveNamespacesPrefixList.

(Note: I have trouble understanding the Canonical XML specs.  I hope 
others with more expertise can review this).


Trevor

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]