I just wonder, why you don;t want to put signature in the original document? You system may easily insert the Signature at the beggining of original document and later easily remove it so nobody else will see it. IMHO, the hash based approach removes all the XML DSig "beef". There is no reason why you could not just send calculated hash in any binary format.
Aleksey Meg Morgan wrote:
What we decided to do is to create a hash of the data we REALLY want
signed, and put the hash into a nice little xml tree, and sign THAT. That
way we can pluck out the signature from the document and call it "detached"
if we want to.
To check, we recalculate the hash of the original data, compare it with
what is in the signed document blob, then use the xmlsec functions to
check the signature against the public key. In this way we can avoid
using URI references while still masking the content of our original
data.
Thanks again,
meg
Aleksey Sanin wrote:
Actually, you have one more option: use a special protocol name
(like "thisismyprotocol://....") and write custom protocol handlers
that will read document from memory. Thought, it might be not such
a good idea because of interop issues in the future.
Aleksey
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
