[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: here()-based XPath Transforms
A slight complication - XML-DSIG defines a here() XPath function that allows XPath transforms to take into account the location of the signature. I have trouble seeing the use of this. The only useful signature-relative transform I can think of is the Enveloped Signature Transform. However, if we want a Signing Server to be able to apply here()-based transforms, the client would need to inform the server whenever it intended to insert the signature in one of the Input Documents. The client would have to send something like the <SignaturePlacement> optional input: <xs:element name="SignaturePlacement"> <xs:complexType> <xs:choice> <xs:element name="XPathAfter" type="xs:string"/> <xs:element name="XPathFirstChildOf" type="xs:string"/> </xs:choice> <xs:attribute name="WhichDocument" type="xs:IDREF"/> </xs:complexType> </xs:element> I would prefer to ignore this, since I think here()-based transforms are too marginal a feature to justify special support. But a similar, more important issue appears with Verification - the server needs to know which signature is being verified, so it can apply an Enveloped Signature Transform (i.e. delete the signature before verifying). Proposal: in the case of an Enveloped Signature, we could *require* the client to use the <dss:SignaturePtr> feature, to point to the signature element in one of the input documents. Anyways, here's an email thread that describes here()-based transforms, and gives a possible use for them: http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0142.html Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]