Thank you for insight -- I'm not a XML expert so your pointers and further elaboration helps, and your email will be a good a reference when this issue with PSKC is brought up in the IETF.
/Simon "G. Ken Holman" <[email protected]> writes: > At 2012-10-16 00:23 +0200, Simon Josefsson wrote: >>"G. Ken Holman" <[email protected]> writes: >> >> > <xsd:element ref="ds:Signature" minOccurs="0" maxOccurs="1"> >>... >> > I hope this helps. >> >>Thank you -- 'ref="ds:Signature"' is used in SAML Assertion as well so >>it seems like a good approach. > > Not "good", but correct. The declaration you showed creates an > element named "Signature" in the incorrect namespace, not in the > digital signature namespace. I believe that example you cite is > absolutely wrong. > >>More insight into this would be appreciated. Is there any way the RFC >>6030 approach could work? I'm concerned that there is an example in the >>RFC that people may have modelled their implementations after. My >>current approach to remove the ds: prefix on the Signature element leads >>to valid XML so that workaround would works even if isn't kosher. > > It may be well-formed XML but it isn't valid according to the XMLDsig > specification. That specification states that Signature must be in > the digital signature namespace (the prefix "ds:" is irrelevant; > "simon:Signature" is schema valid if > xmlns:simon="http://www.w3.org/2000/09/xmldsig#";). The specification > is clear: > > http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-Signature > > ... and the spec shows it being declared both with a prefix (in XSD) > and without a prefix (in DTD). The prefix is irrelevant. The > namespace URI is crucial. > > If people don't use XML properly, I can't see why they would expect it > to work. This is basic namespace-valid XML stuff. > > I have a free video lecture on namespaces (in general, not specific to > digital signatures) in my XSLT class at: > > http://www.CraneSoftwrights.com/links/udemy-ptux-online.htm > (54:09 mark of Module 1 Lecture 1 - The XML Family of Recommendations) > >>Having some pointer to text in the XMLDsig standard explaining that this >>is improper would help. > > Why would a standard describe what is incorrect? How would it know > what to put in the list if incorrect things before the standard is out > in the public being incorrectly used? Wouldn't having such examples > lead to confusion if users don't read the document properly and start > quoting the incorrect examples? Users should just implement it > correctly. It looks like some are already reading not reading the > document properly. > > Please forgive my frustration. This isn't a fault of XML, it is a > fault of the people writing incorrect examples. > > I hope this has helped. > > . . . . . . . . Ken > > > -- > Contact us for world-wide XML consulting and instructor-led training > Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm > Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/ > G. Ken Holman mailto:[email protected] > Google+ profile: https://plus.google.com/116832879756988317389/about > Legal business disclaimers: http://www.CraneSoftwrights.com/legal _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
