OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss] Issue on verification for InlineXML

Dear All,
Juan Carlos Cruellas wrote:
> While implementing DSS verifying protocol we have found what we think 
> that is a potential
> source of problems.
> 
> ...
> We think that this is happening because the server is performing a 
> transform (Exclusive canonicalization) that was not performed when 
> creating the signature. This transform moves the namespace "http://cc.c"; 
> with prefix c from element doc to element el2 because doc does not use 
> this namespace but el2 does use it (see exclusive canonicalization). So, 
> as Hash(DOC-CAN) is different from Hash(DOC-EXCL), the signature will 
> then be invalid.
> 
> ...

> We think that some modification is required in section 4.3.
> 
> 1. text in line 1368, text:
> 
> "This document is extracted and decoded as described in 3.3.1 Step 1.a 
> (or equivalent step in variants of the basic process as defined in 3.3.2 
> onwards depending of the form of the input document)"
> could be substituted by:
> "This document is extracted and decoded as described in 3.3.1 Step 1.a 
> or equivalent step in variants of the basic process as defined in 3.3.2 
> onwards depending of the form of the input document, except when the 
> <Document> content is an <InlineXML> element. In this case, the server 
> should extract <InlineXML> contents without taking inherited namespaces 
> and attributes."
> 
> 
> 2. text in line 1388
> Substitute
> "a.    If the input document is a <Document>, the server extracts and 
> decodes as described in 3.3.1 Step 1.a (or equivalent step in variants 
> of the basic process as defined in 3.3.2 onwards depending of the form 
> of the input document). "
> by
> "a.    If the input document is a <Document>, the server extracts and 
> decodes as described in 3.3.1 Step 1.a or equivalent step in variants of 
> the basic process as defined in 3.3.2 onwards depending of the form of 
> the input document, except when the <Document> content is an <InlineXML> 
> element. In this case, the server should extract <InlineXML> contents 
> without taking inherited namespaces and attributes".
> 
> Could you please provide feedback?

I welcome this edit in two places, if it saves us from implying 
knowledge on the server side (during verification) that will not be 
available to the server.

All the best,
Stefan.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]