In a VerifyRequest we need to disambiguate

[Konrad Lanz <Konrad.Lanz@labs.cio.gv.at>]

Dear all,

In a <dss:VerifyRequest> we need some disambiguation in the case of a 
request carrying multiple
<dss:DocumentHash>, <dss:TransformedData> or a combination of those 
having the same RefURI.

Although I have to admit that this is a corner case, it is not so 
unlikely as Signatures created with SignedReferences allow to create 
multiple <ds:References> from the same input document and hence they may 
having the same URI.

Section 4.3 point 2. variant b. and also variant c. now ask to check the 
matching <ds:Transforms> or the <ds:Transforms> and the 
<ds:DigestMethod> to the <ds:References> inside the Signatures 
<ds:SignedInfo>.

However as the <ds:Transforms> and the <ds:DigestMethod> can be 
arbitrarily complex like for example an XSLT <ds:Transform> bearing the 
<xsl:sylesheet> directly, this can be very hard and expensive to do. It 
might even out the usefulness of <dss:DocumentHash>, 
<dss:TransformedData> for such cases.

The comparison could amount to context free extract of the 
<ds:Transforms> and <ds:DigestMethod> elements and the need to 
canonicalize them if a true matching as required in section 4.3 point 2 
should be done.


A straight forward solution to get rid of this problems would be to 
introduce an attribute called <xs:attribute name="WhichReference" 
type="xs:integer" use="optional"/> that identifies a reference and is 
required in the case of a supplied <dss:TransformedData> or 
<dss:DocumentHash> and would allow to ignore the given <ds:Transforms> 
or the <ds:Transforms> and the <ds:DigestMethod> respectively.


thoughts ?


regards
Konard