[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] suggestion for 3.3.3 (Action 05-07-25-1)
Hi Konrad, Just one question: is the attribute "createEnvelopedSignature" actually needed? I mean the whole purpose of the "SignaturePlacement" element is to instruct the server to actually insert the signature within one of the documents sent by the client. What is the justification for this attribute.... What would you expect the server's behaviour should be if the value for this attribute was "false"...not inserting the signature in the document? if, as you mention in one of your emails, we allow splicing by clients (with all the restrictions and notes you mention), then, asuming that you would have in one document a same-document URI, the server should imagine that the client would splice the signature within the document... Sorry if this question has already been discussed... I have gone through all the emails exchanged during the weeks that I was away and I may have lost something... Regards Juan Carlos. Konrad Lanz wrote: > Dear all, > > The problem with the current text is that client side splicing could > potentially lead to signatures not validating due to problems with > normalization plus that the optional input SignaturePlacement often > implies to create an EnvelopedSignature. > > So my suggestion to replace the current 3.3.3 is to amend > <ds:SignaturePlacement> as follows: > > <xs:element name="SignaturePlacement"> > <xs:complexType> > <xs:choice> > <xs:element name="XPathAfter" type="xs:string"/> > <xs:element name="XPathFirstChildOf" > type="xs:string"/> > </xs:choice> > <xs:attribute name="WhichDocument" type="xs:IDREF"/> > <xs:attribute name="createEnvelopedSignature" > type="xs:boolean" default="true"/> > </xs:complexType> > </xs:element> > > The server splices the Signature into the Document and returns it as > DocumentWithSignature: > > Further if createEnvelopedSignature == true do Basic Processing and > override Step 4. to include an Enveloped Signature Transform as the > first Transform. > An EnvelopedSignature signature is a Signature enveloped in a document > pointed at by the same-document URI="". > Hence the <dss:Document> pointed at by Which Document must have no or > the empty URI="" as a value for RefURI and must be parseable xml. > > best regards > Konrad > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]