Hi Kelvin,
thanks for the reply.
The whole stuff came into my mind when I thought about using SDO to model
elements of the SAML specification
(http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security).
SAML Types may contain XML digital signature elements, for example as shown
below
<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
<sequence>
<element ref="saml:Issuer"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="saml:Subject" minOccurs="0"/>
<element ref="saml:Conditions" minOccurs="0"/>
....
<complexType name="ResponseType">
<complexContent>
<extension base="samlp:StatusResponseType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Assertion"/>
In the example case, a ResponseType may contain a SAML AssertionType which
further may be digitally signed containing an XML digital signature element.
If SDO would have supported "stable" literal information, it would have been
possible to take an incoming XML ResponseType, serialize it to an SDO and
check the contained AssertionType SDO for its correctness. The check-
algorithm would therefore have to deserialize the AssertionType back to XML
in oder to generate checksum information that would have to be compared to
the original checksum. Again, this all would only work if the original XML
structure of the assertion could be reconstructed, which is not the case
with SDO. I think I somewhere saw something similar done with the Apache
XMLBeans which if I remember correctly support such conversions (I am not
totally sure, I have to admit).
So a "workaround" when using SDO in such scenarios would be to check the XML
signature when it is still "on the wire" and before its serialized to SDO.
I hope this clarified my original intention of the question a bit more.
best regards,
Philipp
----- Original Message -----
From: "kelvin goodson" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, September 28, 2006 10:18 AM
Subject: Re: Working with digitally signed SDO content
Hi Phillip,
it would be good to understand in a bit more detail what your
suggestion/requirement is. SDO itself can't handle round tripping XML ->
SDO -> XML in the literal space, but only guarantees to regenerate an XML
rendition which is equivalent in the value space. Any signature attached to
an incoming XML serialized document would only relate to that particular
serialized rendition of the document so I'm struggling to see where SDO can
help, but perhaps I have missed the point.
Regards, Kelvin.
On 27/09/06, "Philipp Schöpf" <[EMAIL PROTECTED]> wrote:
Hi,
while playing around with SDOs it came into my mind that it would be fancy
to process digitally signed XML content using SDO API. Unfortunately it
seems like SDO is somehow "restructuring" the XML when it is serialized
from
XML to SDO (e.g. re-formatting or moving namespace declarations etc.) and
thus makes sucessful validation of the digital signature impossible,
afterwards. I guess this is a restriction of the underlying EMF, correct?
Is there any workaround to solve this issue ? I thought about open/ mixed
content but didn't give it a try, yet. Or are there any plans to support
"stable" XML infosets in future?
Best regards,
Philipp
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
