Francisco Sepulveda <[EMAIL PROTECTED]> wrote on 01/08/2008 02:55:46 PM:
> Michael, if i understand right the http://www.remote-server.com/file.doc > by definition (w3c) is a detached signature because it point to a > "thing" located external to the signature itself "Enveloped or enveloping signatures are over data within the same XML document as the signature; detached: signatures are over data external to the signature element." The problem is that you do not know whether file.doc is the XML document containing the Signature. Essentially: <Reference URI="http://www.remote-server.com/file.doc";> might be equivalent to: <Reference URI=""> > > Francisco > > > > > > > > > Subject: Re: doubt with enveloped signature concept > > To: security-dev@xml.apache.org > > CC: [EMAIL PROTECTED]; security-dev@xml.apache.org > > From: [EMAIL PROTECTED] > > Date: Tue, 8 Jan 2008 14:48:52 -0500 > > > > [EMAIL PROTECTED] wrote on 01/08/2008 02:30:00 PM: > > > > > Francisco Sepulveda wrote: > > > > Hello, I'm having problems with respect to what i understand about the > > > > concept of an "enveloped signature" > > > > > > > > The W3C define the signature as /"The signature is over the XML content > > > > > > that contains the signature as an element. The content provides the > > root > > > > XML document element. Obviously, enveloped signatures must take care > > not > > > > to include their own value in the calculation of the | SignatureValue|"/ > > > > > > > > I have seen that the following xml document has a broad acceptation as > > a > > > > typical use of digital signature .... the classic enveloped signature > > of > > > > the whole document > > > > > > > > <document> > > > > <element> > > > > </element> > > > > <signature> > > > > <SignedInfo> > > > > ... > > > > <Reference URI=""> > > > > <Transforms> > > > > <Transform > > > > Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/> > > > > </Transforms> > > > > <DigestMethod .../> > > > > <DigestValue> .... </DigestValue> > > > > </Reference> > > > > </SignedInfo> > > > > ... > > > > </signature> > > > > </document> > > > > > > > > In the above example, there is clear for me that the signature is child > > > > > > of the xml content being signed. > > > > > > > > But i read in a book from McGrawHill an it shows this example of a > > > > signature that is enveloped, enveloping and detached... > > > > > > > > * * > > > > > > > > *<Contract1>* > > > > > > > > * <ImportantContent Id="ImportantElement">* > > > > > > > > * This is important content!* > > > > > > > > * </ImportantContent>* > > > > > > > > * * > > > > > > > > * <Signature Id="ThreeTypes">* > > > > > > > > * <SignedInfo>* > > > > > > > > * <Reference > > > > URI=**"http://www.remote-server.com/file.doc";>* > > > > > > > > * . . .* > > > > > > > > * </Reference>* > > > > > > > > * <Reference URI=**"#contract2">* > > > > > > > > * . . .* > > > > > > > > * </Reference>* > > > > > > > > * <Reference URI=**"#ImportantElement">* > > > > > > > > * . . .* > > > > > > > > * </Reference>* > > > > > > > > * </SignedInfo>* > > > > > > > > * <SignatureValue> . . . </SignatureValue>* > > > > > > > > * <Object Id="contract2">* > > > > > > > > * <Contract2> This is also very important > > > > content! </Contract2>* > > > > > > > > * </Object>* > > > > > > > > * </Signature>* > > > > > > > > *</Contract1>* > > > > > > > > * * > > > > > > > > *FOR ME, the detached and enveloping signature are REALLY clear, but i > > > > have doubt about the enveloped signature .... the book said* > > > > > > > > * * > > > > > > > > *"The Signature Element is enveloped by the <Contract1> element. This > > > > particular association gives the XML Signature the enveloped property"* > > > > > > > > * * > > > > > > > > * * > > > > > > > > > > > > So, that is my point, maybe i'm wrong but for me the <Reference > > > > URI=*"#ImportantElement"> is a detached signature or not???* > > > > > > Based on the example above, you're right and the book is wrong. If in > > > the example above, the ImportantElement ID was an attribute of the > > > Content element then it would be enveloped. It might be nice to send the > > > author a comment about that. > > > > I think there is a misunderstanding. This statement > > "The Signature Element is enveloped by the <Contract1> element. This > > particular association gives the XML Signature the enveloped property" > > is correct. The Contract1 element envelopes the Signature element. > > > > The <Reference URI=*"#ImportantElement"> is a detached Signature.. > > > > What we do not know, without more information, is whether the <Reference > > URI="http://www.remote-server.com/file.doc";> points to the document that > > contains the Contract1 element. If it does, that is an Enveloped Signature. > > > > > > > > > > > > > My final question is, if a really want to sign the <ImportantContent> > > > > element using an enveloped signature. Do i really need to put the > > > > signature as child of the <ImportantContent> element or not?? does the > > > > location of the signature have a significant impact? > > > > > > Yes, otherwise it is not an enveloped signature. > > > > > > > or when the > > > > signature is enveloped it is allways located as the "last child" of the > > > > > > document element inside an XML document.. > > > > > > It doesn't have to be the last child, it could be the first, the second, > > > or any descendant element. > > > > > > --Sean > > > > > Express yourself instantly with MSN Messenger! MSN Messenger
