Moving signed elements into different docs

Tue, 29 Jun 2004 13:55:26 -0700 

I have xml elements that are signed and the related detached signature
element can be embedded in other transactions.  What sort of issues do I
need to do to ensure that I can move the xml around and place in different
locations in other xml documents in the future and still have the xml
signatures be validated?

Presumably, I want to use namespaces on the elements being signed (so if
they are moved they are do not inherit any other namespaces), and then I'm
sure I want to use unique ID attributes that remain unique and the like so
that I can
change the BaseURI or something similar depending on where the signed
elements are moved to.  Is that it?  Are there bigger issues?

i.e.

<doc1>
  <tran1>
    <file originalName="contract.html" mime="text/html"
originalSize="520324">
     <createdDateTime>2004-04-10 11:20:02 GMT</createdDateTime>
     <data>FHAB....</data> <!-- base64 encoded version of the data in a
file -->
    </file>
    <signerBlock>
        <name>David Wall</name>
        <title>Manager</title>
        <date>06/01/2004</date>
        <ipAddr>192.168.1.1</ipaddr>
        <actualDateTime>2004-06-01 11:20:02 GMT</actualDateTime>
        <platformAssertions>
            <experianName>David Wall</experianName>
            <experianLocality>Kirkland, WA</experianLocality>
            <experianPassedDate>2003-12-18 17:45:32 GMT</experianPassedDate>
        </platformAssertions>
    </signerBlock>
  </tran1>
</doc1>

In my case, I want to sign the <file> and all elements within the
<signerBlock>.  But later, that same data may appear in another transactions
at a different hierarchy entirely.

<doc2>
  <tran2>
  <anotherLevel2>
    <file originalName="contract.html" mime="text/html"
originalSize="520324">
     <createdDateTime>2004-04-10 11:20:02 GMT</createdDateTime>
     <data>FHAB....</data> <!-- base64 encoded version of the data in a
file -->
    </file>
    <signerBlock>
        <name>David Wall</name>
        <title>Manager</title>
        <date>06/01/2004</date>
        <ipAddr>192.168.1.1</ipaddr>
        <actualDateTime>2004-06-01 11:20:02 GMT</actualDateTime>
        <platformAssertions>
            <experianName>David Wall</experianName>
            <experianLocality>Kirkland, WA</experianLocality>
            <experianPassedDate>2003-12-18 17:45:32 GMT</experianPassedDate>
        </platformAssertions>
    </signerBlock>
  </anotherLevel2>
  </tran2>
</doc2>

If I put a common NS on the <file> and <signerBlock> elements, will that
suffice?  How do I let it know that when it was original signed the path was
/doc1/tran1/file and /doc1/tran1/signerBlock, but when it was moved in
another transaction the signed data is now in the full path of
/doc2/tran2/anotherLevel2/file and /doc2/tran2/anotherLevel2/signerBlock ?

Thanks,
David

Reply via email to