[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [ebxml-msg] ds:Signature Algorithm
OK, I have some more information and I am thinking we should stick to the
enveloped-signature algorithm.
Apparently, the use of peer signatures is not well-defined in the security
industry anyway. So we really don't need to worry about this.
For nested signatures, it looks like you can take the older signature(s) and put
it(them) into a Signature+Object (wrap another ds:Signature element around the
first ds:Signature element).
I will amend my proposal to:
<Signature xmlns=". . .">
<SignedInfo>
. . .
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm=". . .">
<XPath> not(ancestor-or-self::*[@soap:actor=
"http://www.oasis-open.org/committees/ebxml-msg/nextMSH"] |
ancestor-or-self::*[@soap:actor=
"http://schemas.xmlsoap.org/soap/actor/next" ] )
</XPath>
</Transform>
</Transforms>
</Reference>
</SignedInfo>
</Signature>
Will this work? Anyone have an opinion?
Regards,
David Fischer
Drummond Group.
-----Original Message-----
From: David Fischer [mailto:david@drummondgroup.com]
Sent: Wednesday, October 24, 2001 12:42 PM
To: Christopher Ferris
Cc: Doug Bunting; ebXML Msg
Subject: RE: [ebxml-msg] ds:Signature Algorithm
Well, we did, Chris.
Did you also forget that you were supposed to provide a Transform XPath to
exclude all actor=next?
What do you think of mine? Will it work?
David.
-----Original Message-----
From: Christopher Ferris [mailto:chris.ferris@sun.com]
Sent: Wednesday, October 24, 2001 10:58 AM
To: David Fischer
Cc: Doug Bunting; ebXML Msg
Subject: Re: [ebxml-msg] ds:Signature Algorithm
I don't recall a decision to exclude all Signatures.
Cheers,
Chris
David Fischer wrote:
> Yes, I know, there are good cases for both separate signatures and for signing
> over previous signatures.
>
> We decided to exclude all signatures two con calls ago when we could not
figure
> out how to add a signature without breaking a previous signature (how do you
> know which signature to process first and then you must exclude the later
> signatures when processing the earlier ones). We decided NOT to discuss, in
the
> spec, the use of multiple signatures.
>
> As with all things in this group, nothing is final ;-^.
>
> Regards,
>
> David Fischer
> Drummond Group.
>
> -----Original Message-----
> From: Doug Bunting [mailto:dougb62@yahoo.com]
> Sent: Tuesday, October 23, 2001 5:17 PM
> To: ebXML Msg
> Subject: Re: [ebxml-msg] ds:Signature Algorithm
>
>
> David,
>
> Are we really deciding to exclude ALL signature elements? I can see some
> very good use cases (validating someone else's signature for example) for
> signing a previous signature.
>
> Separately, when was that decision made?
>
> thanx,
> doug
>
> ----- Original Message -----
> From: "David Fischer" <david@drummondgroup.com>
> To: "Christopher Ferris (E-mail)" <chris.ferris@east.sun.com>
> Cc: "ebXML Msg" <ebxml-msg@lists.oasis-open.org>
> Sent: Tuesday, 23 October 2001 15:04
> Subject: [ebxml-msg] ds:Signature Algorithm
>
>
> Chris,
>
> Since we are deciding to exclude ALL signature elements, shouldn't we get
> rid of the
> http://www.w3.org/2000/09/xmldsig#enveloped-signature algorithm and just
> use:
>
> <XPath> not(ancestor-or-self::ds:Signature) </XPath>
>
> which would exclude ALL ds:Signature elements? Or better yet:
>
> <XPath> not(ancestor-or-self::ds:Signature |
> ancestor-or-self::*[@soap:actor="http://oasis-open.org/committees/
> ebxml-msg/nextMSH"] |
> ancestor-or-self::*[@soap:actor="http://schemas.xmlsoap.org/soap
> /actor/next" ] )
> </XPath>
>
> Regards,
>
> David Fischer
> Drummond Group.
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC