Raul Benito schrieb:
I was talkinb about the use of them alone and then need to be c14n by
itself. Anyway I see the point, and I think is one of the sane ones to be
use outside of the signature. But please in order to not repeat it can you
send me the junit test case. It will be make the change faster, and it also
will allowed us not do the same mistake again.
Sure - I need to extract a "pure" xmlsec unit test out out the overall WSS4J
unit test.
Just another thought in this context:
The XML Signature specification (and the many other XML specifications in
general) do not restrict usage of all the XML elements they define. Usually
there is no definition of "this is an internal element" or "this is an external
element" (xmlsec implements elements as objects).
For example KeyInfo is used in XML Signature as well as in XML Encryption
specifications. Other elements specified in XML Signature may be re-used
elsewhere (see to the large set of OASIS Web Service specifications :-) ).
In my understanding an implementation of XML Security specification (such as
xmlsec) shall expect that _every_ element could be used in some other context,
even stand-alone. There is no reason why an application shall not be able to
re-use for example a "Reference" element, or a "X509Data" element as a
stand-alone element if the application's XML structure requires this. And of
course an application shall be able to use xmlsec in this case - because it
exists, is tested, and implements these elements.
There is also no such definition as "a sane use outside as signature" - any
application decides on its own what is "sane" or "insane" with respect to the
XML structures it uses.
As a summary: there is *no reason* (and in large parts it's counter-productive)
to single out elements that are defined in the specifications and make them
usable in one specific context only.
Regards,
Werner
On Fri, Oct 3, 2008 at 5:15 PM, Werner Dittmann <[EMAIL PROTECTED]
wrote:
Raul Benito schrieb:
Hello,
I think I made the change so I will try to defend it, first of all the use
of KeyInfo out of a Signature it is not a use case I was looking to.
Raul,
KeyInfo as such (as an XML element) is not used inside Signature only. If
you
have a look into the OASIS WSS specification you will see that KeyInfo is
used everywhere (nearly everywhere) a key is used, thus also to store
information
and references to encryption keys and so on. And these are exactly the test
cases
that break when we use KeyInfo to implement OASIS WSS.
Regards,
Werner
So
perhaps we break it as we don't look at it. And sadly the old api is full
of
internal objects that can be use external. And I see KeyInfo like that.
So in order to fix, can you write a test case that fails and submit a bug,
I
will update the code in SVN head.
Thanks,
Raul
