Hi David, The two books that I know of that deal with W3C XML Signatures are my own book (XML Security) and Donald Eastlake's Book (Secure XML). I didn't discuss the Apache XML Security Toolkit in my book because it was just getting developed when my book was published.
>From what it sounds like, you're going to be making an XML Signature with a boatload of <Reference> elements, each pointing to non-XML data. This could get tricky as you will need to identify each of these references via an immutable URI. Once the signature is created, if any of these files move locations, the signature will fail reference validation. In the end, I think you will end up with a set of XML Signatures. Adding <Reference> elements to an existing signature is not allowed by the W3C XML Signature specification. For each new data item that you want to sign, you'll have to create a new XML Signature with the proper URI. As for learning the Apache API's, I found them a bit confusing at first, but they seem to work well as long as you aren't trying to canonicalize large amounts of XML data, as the performance can be a limiting factor. In your case, however, it sounds like your data is all XML (at least the larger files), so you'll be limited to the performance of SHA-1 for the digest, which is actually quite good in terms of throughput. Kind Regards, Blake Dournaee Senior Security Architect Sarvega, Inc. http://www.sarvega.com/ ----- Original Message ----- From: "David Wall @ Yozons, Inc." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 05, 2004 10:56 AM Subject: Books on XML Dsig and/or Apache DSig APIs? > Are there any good books on XML DSig available, especially those that talk > about the Apache DSig Java APIs? I'm re-engineering an existing application > that used its own digital signatures, which gave it complete flexibility, > and with XML DSigs we'll need a bit more rigor up front in terms of formats, > optional fields, etc. > > In particular, we're looking for detached signatures because we need to be > able to add lots of signatures to a given data set, and that data set > includes large elements like an attached file (Word, Excel, PDF, HTML, text, > XML, JPEG, GIF, TIFF, MPEG, AU or whatever that can easily be multiple MBs > in size) as well as being combined with various meta data related to the > signature (actual timestamps, IP addresses, name of signer, email address, > authentication information, etc.). Our signatures need to include simple > "integrity only" signatures, legal electronic authorize/agree signature > dsigs, approve signatures, initialing "sigs", review signatures, etc. > > A single transaction can be composed of many parts, including multiple > independently signed documents (with all the varying types of signatures: > review, approve, authorize/agree), multi-HTML form page "documents"). A > transaction can have new documents added over time, so the final XML > transaction document is really composed of multiple independently signed > parts that are known to belong to the whole, but the "whole" can grow over > time until its "fully executed" or "process completed." > > Thanks for any pointers. Again, we do this quite easily with our homegrown > (yet openly published spec) digital signatures that simply add whatever data > elements we need at the time without worrying about how to make these > varying parts work in an XML format that best supports xml dsigs. > > David >
