OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Question on one EnvelopingSignature Optional Input case

Hi,

While developing soft for the signing protocol we have faced an issue
that seems to require further clarification: the precise processing of
<EnvelopingSignature> optional input in certain situations.
The issue may be described as follows: the basic processing rules described
in section 3.3 estblish that the server takes the contents of the XMLData,
for instance, canonicalize it, performs the transforms that it wants and 
hashes it.
This seems to be clear for enveloped and detached signatures, but it is not
clear that this is what should be done for all the enveloping signature 
requests.
Imagine you receive the following request:

<dss:SignRequest 
xmlns:dss="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30.xsd"; 
RequestID="UPCRequestEnvelopingXMLSig_0">
    <dss:OptionalInputs>
        <dss:SignatureType>urn:ietf:rfc:3275</dss:SignatureType>
        <dss:EnvelopingSignature WhichDocument="BinaryDocId0"/>
    </dss:OptionalInputs>
    <dss:InputDocuments>
        <dss:Document ID="BinaryDocId0" RefURI="#data">
            <dss:XMLData>
                <upc1:Root 
xmlns:upc1="http://www.ac.upc.edu/namespaces/ns1"; 
xmlns:upc2="http://www.ac.upc.edu/namespaces/ns2";>
                    <upc1:Child1 xml:lang="EN">child1 content</upc1:Child1>
                    <upc2:Child2>
                        <upc1:Child21>child21 content</upc1:Child21>
                        <upc1:Child22>child22 content</upc1:Child22>
                    </upc2:Child2>
                    <upc2:Child3>
                        <upc2:Child31>child31 content</upc2:Child31>
                        <upc2:Child32>child32 content</upc2:Child32>
                    </upc2:Child3>
                </upc1:Root>
            </dss:XMLData>
        </dss:Document>
    </dss:InputDocuments>
</dss:SignRequest>

If we strictly follow the text of the core, we should put the URI in the 
reference and
digest the document....but if the enveloped document does not have the 
corresponding Id
attribute the signature would fail!!!. A different way of generating the 
signature
would be to build up the enveloping ds:Object, put the document in it, 
add to the ds:Object the Id="data"
canonicalize the ds:Object and digest it....Is this
the way we should understand the expected behaviour?
I see two alternatives:

1.Not allowing this request, ie, forcing usage of Transforms (XPath, for 
instance)
for getting what we actually want to get and envelop.

2. Allowing this request and write the suitable text in the core.

Do you have any views on that?

Regards

Sergi and Juan Carlos.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]