[xmlsec] namespaces in enveloping signature

[Bernd Becker]

Hi,
I am using xmlsec in a server to sign a message in the enveloping variant, 
i.e.
the message to be signed is embedded in the Object element of the Signature.
It looks something like this:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";>
</CanonicalizationMethod>
<SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod>
<Reference URI="#MyObj">
<DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<Object Id="MyObj">
<aa:BBB xmlns:aa="http://x.y.org/BBB"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://x.y.org/BBB";>
<YYY><ZZZ>Something</ZZZ></YYY>
</aa:BBB>
</Object>
</Signature>

The receiving client is having a problem parsing or validating this, 
because
the elements YYY and ZZZ are not qualified with the namespace prefix aa, 
and thus
it is assuming the default namespace (xmldsig) defined in the Signature 
element.

One solution would be to define namespace prefix in the Signature and use 
that,
avoiding the definition of the default namespace. But right now it is not 
possible
to set it in xmlsec and there seems to be agreement not to support it.

The other two solutions are probably:
1. explicitely qualify all elements within BBB with the prefix aa
    <aa:BBB xmlns:aa="http://x.y.org/BBB"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
     xsi:schemaLocation="http://x.y.org/BBB";>
    <aa:YYY><aa:ZZZ>Something</aa:ZZZ></aa:YYY>
    </aa:BBB>

2. not to use the prefix aa at all but instead define a new default 
namespace
    <BBB xmlns="http://x.y.org/BBB"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
     xsi:schemaLocation="http://x.y.org/BBB";>
    <YYY><ZZZ>Something</ZZZ></YYY>
    <BBB>

What is the better or more correct way to go ?
Thanks in advance for any help,
Bernd
_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec