Nick,
For an enveloping signature - moving the namespace to the root should be fine, as the namespace is extant over the entire sub-tree that is being signed. However if you have an enveloped signature, you might run into problems, depending on the type of canonicalisation you use. If it is standard C14n, then the namespace node may apear in the data being signed and that would cause a reference to break.
Caveat - I haven't thought too hard - late night last night, so feel free to tell me I'm wrong :>.
Cheers,
BerinNick Sydenham wrote:
I'm looking at an existing problem with some of our code and couldn't find a definitive answer in the W3C Recommendation. Basically, it's not clear from the spec how moving a namespace definition affects the validity of a signature. For instance, if I have:
<SignedInfo xmls:gt="http://www.wibble.com/CM/envelope";> ... <Transform Algorithm="..."> <XPath>(count(ancestor-or-self::node()/gt:Message/gt:Body)=... </Transform> </SignedInfo>
If I then return an enveloping signature with the gt namespace moved to the root element the XML document is still valid as the namespace is still declared on an ancestor node. However, from an XML Signature point of view I have changed the SignedInfo element which in theory breaks the signature. Is this a correct analysis or should moving the namespace definition not affect the signature validity?
TIA,
Nick
