As to your reference http://www.w3.org/TR/xmldsig-core/#sec-Secure it is quite laborious to read and to fully understand, but it seems as if one can read out that everything depends upon the verification program/application being able to roll back what the signing application has set forth. The phrase: "SHOULD NOT use internal entities and SHOULD represent the namespace" is difficult to understand without examplification done on to the SignedInfo directly. -- Si St [email protected]
On Saturday, November 19, 2011 2:14 PM, "G. Ken Holman" <[email protected]> wrote: > Please ask your questions publicly and not privately. OK. Here is the message that fell out of the public posting: This clearifies to a point, but should the declaration be there or not like this? <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>Tjq6LcMyR4JsrCDQdS9kwGYzo8o=</DigestValue> </Reference> </SignedInfo> The declaration is taken from <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> that comes before SignedInfo The idea is taken from this site: http://www.di-mgt.com.au/xmldsig.html and I wonder if it is right or wrong and if right,is it part of the digest calculation? -- Si St [email protected] > > At 2011-11-19 10:56 -0800, you wrote: > >This clearifies to a point, but should the declaration be there or not > >like this? > > Does this help? > > http://www.w3.org/TR/xmldsig-core/#sec-Secure > Applications that do not canonicalize XML content (especially > the SignedInfo element) SHOULD NOT use internal entities and > SHOULD represent the namespace explicitly within the content > being signed since they can not rely upon canonicalization to > do this for them. > > . . . . . . . . . . . . Ken > > > -- > Contact us for world-wide XML consulting and instructor-led training > Free 5-hour video lecture: XSLT/XPath 1.0 & 2.0 http://ude.my/t37DVX > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ > G. Ken Holman mailto:[email protected] > Google+ profile: https://plus.google.com/116832879756988317389/about > Legal business disclaimers: http://www.CraneSoftwrights.com/legal > > -- http://www.fastmail.fm - Does exactly what it says on the tin _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
