On Fri, 2004-10-01 at 18:35, Wijlens, Joris (J.) wrote: > But when I try to verify message1 it fails. I think because I think > the appearing xmlns="" 's in message2 are taken into account when > signing the message (?? and message1 doesn't have them). Am I doing > something wrong here?
You definitely are; the clear blunder that you're guilty of is trusting the email that I sent. I thought that I had tested that this technique worked at the time that I wrote the email, but you're quite right, transferring the signature back to the original document, contrary to my words, doesn't in fact work. At all. I was hoping I'd get some time to work out why and send through some fixes before anybody actually noticed ;) Eyeballing the content doesn't seem to adequately explain why it doesn't work; in theory, you take document A, serialize and re-parse it, leaving you with document A (again), you then insert a signature into it. Inserting a signature should be a matter of c14n'ing document A, which should *still* leave you with document A, and then inserting an element somewhere. Given that all of those steps should happen the same way when validating a signature, one would think that one should be able to take the signature element out and insert it into any of the previous versions of document A, and, as long as it's always in the same place in the document, it should still validate. Clearly, it doesn't, meaning that one or more of those transformations is non-isomorphic. I'm looking at the c14n bit here, since I don't think it has any business munging the original document anyway, although it should theoretically still work even if it does. Sorry for misleading you! m.
