[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] Core spec: client-side transforms, etc.
Hi Trevor, Trevor Perrin schrieb: > [...] > My question below is still outstanding, as for why servers will be > signing documents which are different from what clients send, Please read http://www.cafeconleche.org/books/xmljava/chapters/ch10s05.html Note: (c) 2000,2001 Elliotte Rusty Harold and most of what is bespoken there is already reality these days. Read also http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/#key-nv > so that document-splicing on the client-side will be unreliable. After you have read the first parts of these links above, you should have an idea of how n clientside-parsers will behave in combination with m severside-parsers, if the input document was not embedded binary by the client using Base64XML or as a character stream by EscapedXML. The situation gets worse if the input had to be on the client side to be transformed and these problems apply now as well. I think however that m severside-parsers can be managed. > [...]""" > Could you explain in detail, with some examples? Yes. > > Maybe I'm just naive, Please read http://www.w3.org/TR/xmldsig-filter2/#sec-Examples. > but it disturbs me to imagine the server operating on a different XML > document than the client sent, without this difference being > represented in the transform chain. The reason simply is because the client has already applied transforms. Please consider the following Transforms: <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> <dsig-xpath:XPath Filter="intersect"> //*[starts-with(name(),'B')] </dsig-xpath:XPath> <dsig-xpath:XPath Filter="union"> //AAA </dsig-xpath:XPath> </dsig:Transform> <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> <dsig-xpath:XPath Filter="union"> //EEE </dsig-xpath:XPath> </dsig:Transform> </dsig:Transforms> <AAA> <CCC> <BBB/> <BBB/> <BBB/> </CCC> <DDD> <BBB/> <BBB/> </DDD> <EEE> <CCC/> <DDD/> </EEE> </AAA> Client applies frst transform and sends: <AAA> <BBB/> <BBB/> <BBB/> <BBB/> <BBB/> </AAA> Transmission Server applies second transform and signs: <AAA> <BBB/> <BBB/> <BBB/> <BBB/> <BBB/> </AAA> However, if either the client or the server would have applied both transforms they would have signed: <AAA> <BBB/> <BBB/> <BBB/> <BBB/> <BBB/> <EEE> </EEE> </AAA> For more XPath expressions that can cause trouble refer to: http://www.zvon.org/xxl/XPathTutorial/Output/example8.html http://www.zvon.org/xxl/XPathTutorial/Output/example12.html http://www.zvon.org/xxl/XPathTutorial/Output/example15.html http://www.zvon.org/xxl/XPathTutorial/Output/example16.html best regards Konrad
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]