Re: [Fwd: [dss] More on EnvelopingSignature]

[Konrad Lanz <Konrad.Lanz@labs.cio.gv.at>]

Juan Carlos Cruellas wrote:

> i. The client may have applied certain transformations to the to be 
> enveloped
> object. I admit that it is difficult for me imaging transformations 
> other than
> the canonicalization or something in the like. And
> I would not have any problems if we forbid the client to do such things.
> But in its current wording this is still allowed by the core.

Good point, and I agree that the question should be: if client side 
transforms make sense at all
for input documents that go into ds:Objects or are used to place 
Signatures inside them
(i.e. dss:SignaturePlacement).
The more I think about that, I'd conclude that client side transforms 
are only really useful for detached
signatures without ds:Objects if we want to return verifiable signatures.
The reason why I'm saying that is, because client side transforms will 
remove nodes and if the client side
does not add these nodes later again to the returned signature it might 
not verify at all.

> [...] I still doubt whether the XMLData.Transforms element would make
> sense in the enveloping signature case, but I have included it.

Right, the client side would have to exchange the ds:Objects content 
against the content that was
there before the first client side transform to have a verifiable signature.

I think the same is also true for dss:SignaturePlacement assuming that 
ds:Reference should be
generated for an InputDocument pointed at by dss:SignaturePlacement.

However this might also be a feature and good for certain clients that 
have tight bandwidth limitations
and hence want to use client side transforms, but this should probably 
go into a profile.

Konrad