Hmm, looking at the XML again I'm not so sure anymore. Sorry, I might have misled you, not giving you the whole picture.
The fact is that what I'm verifying is a SAML Response where the Assertion is signed. The whole document contains a xmlns:xsi specification, namely at the top, in the Response element. But if you only look at the Assertion element by itself there is none. The Assertion element is a child to the Response element, hence it doesn't have to have the xmlns:xsi specification since a parent has it. The same goes for the Attributes elements that exist below the Assertion element. But this is only if you look at the Reponse as a XML document. Does the fact that the Assertion element is a signed element force the inclusion of a xmlns:xsi specification in the Assertion tree ? Ignoring what is defined in unsigned parent elements ? Phrased differently *MUST* the Assertion element be self contained ? On Apr 13, 2011, at 15:42, Aleksey Sanin wrote: > Yes. > > http://www.w3.org/TR/xml-c14n > > Aleksey > > > On 4/13/11 6:41 AM, Roland Hedberg wrote: >> Hi! >> >> Trying to find out why a signature verification failed. >> So, I compared what I got and what xmlsec1 has as predigest data. >> >> Nothing that I could see except for the fact that xmlsec1 in the predigest >> data has add xmlns specifications for xsi. >> >> <ns1:Attribute FriendlyName="eduPersonEntitlement" >> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xsi:type="xs:string">foo</ns1:AttributeValue></ns1:Attribute> >> >> The original was: >> >> <ns1:Attribute FriendlyName="eduPersonEntitlement" >> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue >> xsi:type="xs:string">foo</ns1:AttributeValue></ns1:Attribute> >> >> Is this significant ?? >> >> --Roland >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec --Roland _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
