On Fri, 2004-10-01 at 23:57, [EMAIL PROTECTED] wrote: > create a DOM tree with only <element> ==> serialize it and re-parseit > so you got ==> <element xmlns="http://uri-a";> DOM tree ==> signit > obtaining > <elemenetxmlns="http://uri-a";><ds:Signature>...</ds:Signature> ==> you > cutthe ds:signature and paste in the original DOM tree > obtainig<element><ds:Signature>...</ds:Signature> ==> and now you try > tocheck it and it fails. Natur�lich (naturally) where > isxmlns="http://uri-a"; attribute it is NOT the same document you > sign.The library will be wrong if it said that the sign was correct.
Again, respectfully, I'm compelled to disagree. I have very little experience with XML or xml-dsig, but this just feels very wrong. Quoting http://lists.w3.org/Archives/Public/www-dom/2003JanMar/0059.html "Remember, the DOM does not require that all namespace declaration attributes be present. Thus, there may be implied bindings, which may conflict with explicit ones. The namespace fixup algorithm is about finding and "realizing" those; the namespace lookup algorithm behaves "as if" fixup had been performed." This implies that the fixup algorithm isn't a hack, it's a way of correctly representing the implicit and explicit namespaces. What the library appears to do is only consider the explicit namespace attributes. To put it another way, the <element xmlns=blah attr=val/> is not a DOM, it's a textual representation of one. The DOM is an abstract structure that has a number of characteristics, including namespaces. Namespaces are represented by xmlns attributes when serialized, but not necessarily prior to serialization - but that doesn't mean that they don't exist! This line of thought (again, I'm a complete novice at this stuff, so feel free to shoot me down) is what led me to the serialize/de-serialize hack, which synchronized the implicit namespaces with the explicit ones. Your recommended solution seems akin to simulating DOM level 2 (which is a pre-requisite for xmldsig, isn't it?) using a level 1 interface, in case that is a useful idea for anyone to understand what I'm trying to say. m.
