Jason Foster wrote: >> What about a SigningTransformer and a VerifyingTransformer ? The >> SigningTransformer would then sign the referenced portions as the >> last transformer in a pipeline; the VerifyingTransformer would check >> the signatures as the first transformer, either passing the correct >> content through or somehow marking the content or signature as >> invalid. I hope I understood the spec correctly so far; I guess that >> the specification does not apply to other content than serialized XML. > > My take on the specification, but I can't claim perfect understanding, > is that it covers signing any kind of content. Quoting from the > Introduction: > >> XML Signatures can be applied to any digital content (data object), >> including XML. An XML Signature may be applied to the content of one >> or more resources. Enveloped or enveloping signatures are over data >> within the same XML document as the signature; detached signatures >> are over data >> external to the signature element. > You are right, you can sign any digital content, but the signature itself is detached, not contained in these non-xml binary formats; understood - the example at http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-o-Simple shows a signature for http://www.w3.org/TR/2000/REC-xhtml1-20000126.
> For enveloped signatures, your suggestion should work fine. The trick > seems to be how to handle detached signatures. We could handle it like X/CIncludeTransformers work, letting the SignatureTransformer fire up on something like <sig:sign src="http://some.external.doc/to/be/sig.ned";> <sig:Transforms> <sig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </sig:Transforms> <sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </sig:sign> That way it would be possible to both sign an arbitrary resource and portions of the already generated content, via an XPath expression for example. Best regards, Michael Hartle, Hartle & Klug GbR --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
