OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss] "Required" Designation on SignatureObject within VerifyRequest

Trevor,

     Please find attached a facsimile of your "challenge" document. It 
was created in minutes with XMLSec V1.2.4 invoked through Python-XMLSec 
bindings on a RedHat 9 platform. This signature was subsequently sent 
back in on a Verify call to the same library "WITHOUT A SINGLE XPATH 
REFERENCE" or any any hint whatsoever at signature location within the 
document.

     My point was that many libraries do not require this information 
and consequently neither will many our DSS implementors. It is 
superfluous and an unecessary inconvenience for clients.

     Given its superfluousness (sic ?) and despite how horrible a 
thought it is to you, SignaturePtr will be unnecessary in many single 
document scenarios. Again, I contend, this single document scenario will 
be by far the most popular from a usage viewpoint.

     What I am asking is a trivial change. Simply remove the [Required] 
designation on the SignatureObject. I have just shown to you a perfectly 
legitimate (and implemnted) example of when it is.

Ed   

Trevor Perrin wrote:

> At 11:02 PM 4/14/2004 -0400, ed.shallow@rogers.com wrote:
>
>> Folks,
>>
>>      An enveloped signature in the only InputDocument presents no
>> implementation issue with respect to locating the signature.
>
>
> Suppose I have an input document like:
>
> <a>
>         <b>
>                 <c/>
>         </b>
>         <d/>
>         <e>
>                 <f>
>                 </f>
>                 <ds:Signature>
>                 </ds:Signature>
>         </e>
> </a>
>
> With what you're proposing, the server would have to search through 
> all the elements until it's found the signature, right?
>
> And what if the signature can't be identified by element name (i.e., 
> it's named "xyz", but it's of type ds:SignatureType).  Then it becomes 
> even harder to figure out which element is the signature.  Much better 
> just for the client to indicate it, isn't it?
>
>
>>     As a compromise, would you allow something like this in the spec's
>> documentation ...
>>
>> "When only one InputDocument exists, which contains the signature to be
>> verified, DSS implementations MAY relieve their callers of having to
>> initialize the SignaturePtr elements (i.e. WhichDocument and XPath). 
>> In this
>> case, DSS implementations would assume the signature is contained in the
>> only InputDocument and verify the signature accordingly, whether it be
>> enveloped or enveloping".
>
>
> I don't think we need to say anything about the relationship between 
> the caller and the implementation; that's an API issue.
>
> However, are you saying the *client* would send an empty/uninitialized 
> <SignaturePtr> to the server?  I hope not, that would be too horrible 
> to even contemplate.... :-)
>
>
> Trevor
>
> To unsubscribe from this mailing list (and be removed from the roster 
> of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.
>
>


<?xml version="1.0" encoding="UTF-8"?>
<!--
Sign Template - enveloped-buried - Ed Shallow April 15, 2004
-->
<a>
	<b>
		<c>
			<c1 MimeType="text/plain">This is the data</c1>
			<c2 MimeType="text/plain">This is the data</c2>
			<c3 MimeType="text/plain">This is the data</c3>
		</c>
	</b>
	<d>
		<d1 MimeType="text/plain">This is the data</d1>
		<d2 MimeType="text/plain">This is the data</d2>
	</d>
	<e>
		<f>
			<f1 MimeType="text/plain">This is the data</f1>
			<f2 MimeType="text/plain">This is the data</f2>
			<f3 MimeType="text/plain">This is the data</f3>
		</f>
		<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
			<SignedInfo>
				<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
				<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<Reference URI="">
						<Transforms>
							<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						</Transforms>
						<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<DigestValue>pgu/Uz5BP+zLoBBrBgw53jd6HkQ=</DigestValue>
					</Reference>
			</SignedInfo>
			<SignatureValue>OVcoNcSaj84XwBTB9JSYGY0LcRWzcg8AWF5WYDEKXDIhuWk9EoUB5bxS/MhN/tFM
VjzBiZUCKA7Rj8HFGq7kjkIbxCZfGvtpq5mUJG6HaoMunUpwrszVmFVJz8fsJukt
9lehMOH3MrPOHPeAFhSPJXXWsKCzcmApaV/s9TWrbIc=</SignatureValue>
			<KeyInfo>
				<KeyName/>
				<X509Data>
					
					
					
				<X509Certificate>MIIEQzCCAyugAwIBAgIBGzANBgkqhkiG9w0BAQUFADCB8zELMAkGA1UEBhMCQ0Ex
EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEgMB4GA1UEChMXQ2Fu
YWRhIFBvc3QgQ29ycG9yYXRpb24xGjAYBgNVBAoTEUZvciBUZXN0IFVzZSBPbmx5
MR0wGwYDVQQLExRFbGVjdHJvbmljIFBvc3QgTWFyazE2MDQGA1UEAxMtQ2FuYWRh
IFBvc3QgQ29ycG9yYXRpb24gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSwwKgYJKoZI
hvcNAQkBFh1TZWN1cml0eU9mZmljZXJAY2FuYWRhcG9zdC5jYTAeFw0wMzA4Mjcx
NTAxMDBaFw0wNDA4MjYxNTAxMDBaMIHIMQswCQYDVQQGEwJDQTEQMA4GA1UECBMH
T250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMSAwHgYDVQQKExdDYW5hZGEgUG9zdCBD
b3Jwb3JhdGlvbjEaMBgGA1UEChMRRm9yIFRlc3QgVXNlIE9ubHkxHTAbBgNVBAsT
FEVsZWN0cm9uaWMgUG9zdCBNYXJrMRMwEQYDVQQDEwpFZCBTaGFsbG93MSQwIgYJ
KoZIhvcNAQkBFhVlZC5zaGFsbG93QHJvZ2Vycy5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAL/Pk5lOImcvb3y7g8QMJHVml4Xeu5uFzNWZTNd8R4aDiOZF
34gFsyVW45N08ZXiGaxbkjC6/ufRBt3lED5ahWEH1Hlo/eQPdjSxMrfFF3QmoxQQ
HGhSqDViL/iU5MTMwortQkfDP/xxwJD4LNHL8oNHC6J/eJBUK9Rko2pNC4XBAgMB
AAGjgY4wgYswDAYDVR0TBAUwAwIBADAdBgNVHQ4EFgQUjLQkzx/pguKtlfw0Pp97
clk6uUgwHwYDVR0jBBgwFoAUOUkGbskxjIFdzWLpXghiRC8remowLgYDVR0fBCcw
JTAjoCGgH4YdaHR0cDovL2NhMS51cHUuaW50L21hc3Rlci5jcmwwCwYDVR0PBAQD
AgWgMA0GCSqGSIb3DQEBBQUAA4IBAQCE953O9dWZp0h4kPUlSbitOA6W9PGyRS1O
UvlwlRUgnOj03EF5HvVZKkdYFZ+2Tbb3qjtdGniPZLzNOEvRjBUUo6ACAhMYUgIE
ZmBbjYfixffs4eixlPJcgJFm3QkpWx67GTnU740QBSUGZ/RXSFoD4sm/9cJff+JI
LSdl1Sy3DOs2RNCFnIe5vT/OFbyV2fDk1yoP2sY20xkx1MOwcDn/i8PbbNmcPSEd
scNTqNd+Go0BBYwB3EZwjyI/dwtyBf5G4I+6ZCpKRl2umvvr1l2uGOXZAtKjXHa8
pj2U1Wti4slnbQBLrRYWY2PBoYm8xaYZy4Su01R0g9vvw3gnYbZJ</X509Certificate>
<X509SubjectName>emailAddress=ed.shallow@rogers.com,CN=Ed Shallow,OU=Electronic Post Mark,O=For Test Use Only,O=Canada Post Corporation,L=Ottawa,ST=Ontario,C=CA</X509SubjectName>
<X509IssuerSerial>
<X509IssuerName>emailAddress=SecurityOfficer@canadapost.ca,CN=Canada Post Corporation Certificate Authority,OU=Electronic Post Mark,O=For Test Use Only,O=Canada Post Corporation,L=Ottawa,ST=Ontario,C=CA</X509IssuerName>
<X509SerialNumber>27</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
			</KeyInfo>
		</Signature>
	</e>
</a>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]