I do not know if this is the list for this discussion. I added this question to stackoverflow<http://stackoverflow.com/questions/18522211/xmldsig-the-reference-processing-model-node-set-vs-octet-stream> .
I'm studying XML Advanced Electronic Signatures<http://www.etsi.org/deliver/etsi_ts%5C101900_101999%5C101903%5C01.04.02_60%5Cts_101903v010402p.pdf> . *To create "ArchiveTimeStamp" (page 58) the Specification says:* *Process the retrieved ds:Reference element according to the reference processing model of XMLDSIG.* * * *If the result is a XML node set, canonicalize it. (...)* *The Reference Processing Model is over this:* <*ds:Reference *Id="myId" URI="http://fakefile.xml";> <*ds:Transforms*> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod/> <ds:DigestValue/> </ds:Reference> The process uses "URI=..." and "ds:Transforms" to retrieve the data. *Below are some parts extracted from (4.3.3.2 The Reference Processing Model<http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel> ):* *The data-type of the result of URI dereferencing or subsequent Transforms is either an octet stream or an XPath node-set. (...)* * * *In this specification, a 'same-document' reference is defined as a URI-Reference that consists of a hash sign ('#') followed by a fragment or alternatively consists of an empty URI (...)* * * *Unless the URI-Reference is such a 'same-document' reference, the result of dereferencing the URI-Reference MUST be an octet stream. In particular, an XML document identified by URI is not parsed by the signature application unless the URI is a same-document reference or unless a transform that requires XML parsing is applied.* * * *The following examples demonstrate what the URI attribute identifies and how it is dereferenced:* * * *URI="http://example.com/bar.xml"; * *Identifies the octets (...)* * * *URI="http://example.com/bar.xml#chapter1"; * *Identifies the element with ID attribute value 'chapter1' of the external XML resource (...), provided as an octet stream. (...)* * * *URI="" * *Identifies the node-set (...)* * * *URI="#chapter1" * *Identifies a node-set containing the (...)* *The question.* *For these References:* <ds:Reference Id="myId" URI="http://fakefile.xml";> ... (empty transform list) ... </ds:Reference> *Result 1#: ( <file> ... childs ... <file> ).* <ds:Reference Id="myId" URI="http://fakefile.xml";> ... <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> ... </ds:Reference> *Result 2#: (xml with exc-c14n).* <ds:Reference Id="myId" URI="http://fakefile.xml";> ... <ds:Transform "fake_Xpath_transform_to_get_all_childs"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> ... </ds:Reference> *Result 3#: ( only childs with exc-c14n <child_1/>...<child_x/> ) This is not valid XML file to parse, does not has single root. But can be "node set" with in fakefile.xml context.* *Are results (1#, 2# and 3#) "octet stream" ?* Because: *Unless the URI-Reference is such a 'same-document' reference, the result of dereferencing the URI-Reference MUST be an octet stream.* *Or are they "XML node set" required by XML Advanced Electronic Signatures to canonicalize?* Because: *(...) In particular, an XML document identified by URI is not parsed by the signature application unless the URI is a same-document reference or unless a transform that requires XML parsing is applied.* *Or the (unless a transform that requires XML parsing is applied) is valid only with in Reference context and the results are octet stream?* Articles are welcome.
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
