OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss] Core spec: client-side transforms, etc.

Hi Trevor,

Trevor Perrin schrieb:

> [...]

> My question below is still outstanding, as for why servers will be 
> signing documents which are different from what clients send,

Please read 
http://www.cafeconleche.org/books/xmljava/chapters/ch10s05.html Note: 
(c) 2000,2001 Elliotte Rusty Harold and most of what is bespoken there 
is already reality these days.
Read also http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/#key-nv

> so that document-splicing on the client-side will be unreliable.

After you have read the first parts of these links above, you should 
have an idea of how n clientside-parsers will behave in combination with 
m severside-parsers, if the input document was not embedded binary by 
the client using Base64XML or as a character stream by EscapedXML.
The situation gets worse if the input had to be on the client side to be 
transformed and these problems apply now as well.
I think however that m severside-parsers can be managed.

> [...]"""
> Could you explain in detail, with some examples?

Yes.

>
> Maybe I'm just naive, 

Please read http://www.w3.org/TR/xmldsig-filter2/#sec-Examples.

> but it disturbs me to imagine the server operating on a different XML 
> document than the client sent, without this difference being 
> represented in the transform chain.

The reason simply is because the client has already applied transforms. 
Please consider the following Transforms:

           <dsig:Transforms>
             <dsig:Transform 
              Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";>
               <dsig-xpath:XPath Filter="intersect"> //*[starts-with(name(),'B')] </dsig-xpath:XPath>
               <dsig-xpath:XPath Filter="union"> //AAA </dsig-xpath:XPath>
             </dsig:Transform>
             <dsig:Transform 
              Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";>
               <dsig-xpath:XPath Filter="union"> //EEE </dsig-xpath:XPath>
             </dsig:Transform>
           </dsig:Transforms>

     <AAA>
          <CCC>
               <BBB/>
               <BBB/>
               <BBB/>
          </CCC>
          <DDD>
               <BBB/>
               <BBB/>
          </DDD>
          <EEE>
               <CCC/>
               <DDD/>
          </EEE>
     </AAA>

Client applies frst transform and sends:
     <AAA>
               <BBB/>
               <BBB/>
               <BBB/>
               <BBB/>
               <BBB/>
     </AAA>

Transmission

Server applies second transform and signs:
     <AAA>
               <BBB/>
               <BBB/>
               <BBB/>
               <BBB/>
               <BBB/>
     </AAA>


However, if either the client or the server would have applied both 
transforms they would have signed:

     <AAA>
               <BBB/>
               <BBB/>
               <BBB/>
               <BBB/>
               <BBB/>
          <EEE>
          </EEE>
     </AAA>

For more XPath expressions that can cause trouble refer to:
http://www.zvon.org/xxl/XPathTutorial/Output/example8.html
http://www.zvon.org/xxl/XPathTutorial/Output/example12.html
http://www.zvon.org/xxl/XPathTutorial/Output/example15.html
http://www.zvon.org/xxl/XPathTutorial/Output/example16.html

best regards
Konrad

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]