Nick: Unless I am missing something in your example, what you are describing is the very motivation behind the need for canonicalization of xml for digital signatures.
By specifying the exact canonicalization method used at the time of signing, at the point of verification the exact xml can be recreated thus avoiding the problems associated with reformatting of XML that may ocurr during processing by intermediaries or other middleware. Hope this helps. --larry > -----Original Message----- > From: Nick Sydenham [mailto:[EMAIL PROTECTED] > Sent: Monday, November 29, 2004 11:28 AM > To: [EMAIL PROTECTED] > Subject: Namespace moves > > > I'm looking at an existing problem with some of our code and couldn't > find a definitive answer in the W3C Recommendation. > Basically, it's not > clear from the spec how moving a namespace definition affects the > validity of a signature. For instance, if I have: > > <SignedInfo xmls:gt="http://www.wibble.com/CM/envelope";> > ... > <Transform Algorithm="..."> > <XPath>(count(ancestor-or-self::node()/gt:Message/gt:Body)=... > </Transform> > </SignedInfo> > > If I then return an enveloping signature with the gt > namespace moved to > the root element the XML document is still valid as the namespace is > still declared on an ancestor node. However, from an XML > Signature point > of view I have changed the SignedInfo element which in theory > breaks the > signature. Is this a correct analysis or should moving the namespace > definition not affect the signature validity? > > TIA, > > Nick > > -- > This message has been scanned for viruses and > dangerous content, and is believed to be clean. > -- This message has been scanned for viruses and dangerous content, and is believed to be clean.
