[xmlsec] namespaces in enveloping signature
Jesse Pelton
jsp at PKC.com
Tue Jul 13 09:56:48 PDT 2004
There's a third, rather bizarre choice: you can specify the namespace in
the BBB element twice, once with a prefix and once without. The latter
becomes the default namespace.
<aa:BBB xmlns:aa="http://x.y.org/BBB"
xmlns="http://x.y.org/BBB"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://x.y.org/BBB">
<YYY><ZZZ>Something</ZZZ></YYY>
</aa:BBB>
Hard to understand, huh? But it serves a purpose: it should now be
clear that either of your approaches is better than this! Neither is
inherently superior to the other, however. Consistently using namespace
prefixes makes it very clear what namespace applies, but makes for
verbose documents. Using a default namespace makes for concise
documents that are easy to read quickly - until you need to figure out
what elements belong in what namespace.
So either of your approaches is correct. You get to choose which is
better based on your own criteria. But please don't do it the way I
describe above, unless your goal is to make readers scratch their heads
and question your intelligence and/or sanity!
-----Original Message-----
From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Bernd Becker
Sent: Tuesday, July 13, 2004 12:23 PM
To: xmlsec at aleksey.com
Subject: [xmlsec] namespaces in enveloping signature
Hi,
I am using xmlsec in a server to sign a message in the enveloping
variant, i.e.
the message to be signed is embedded in the Object element of the
Signature.
It looks something like this:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">
</CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod
>
<Reference URI="#MyObj">
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<Object Id="MyObj">
<aa:BBB xmlns:aa="http://x.y.org/BBB"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://x.y.org/BBB">
<YYY><ZZZ>Something</ZZZ></YYY>
</aa:BBB>
</Object>
</Signature>
The receiving client is having a problem parsing or validating this,
because the elements YYY and ZZZ are not qualified with the namespace
prefix aa, and thus it is assuming the default namespace (xmldsig)
defined in the Signature element.
One solution would be to define namespace prefix in the Signature and
use that, avoiding the definition of the default namespace. But right
now it is not possible to set it in xmlsec and there seems to be
agreement not to support it.
The other two solutions are probably:
1. explicitely qualify all elements within BBB with the prefix aa
<aa:BBB xmlns:aa="http://x.y.org/BBB"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://x.y.org/BBB">
<aa:YYY><aa:ZZZ>Something</aa:ZZZ></aa:YYY>
</aa:BBB>
2. not to use the prefix aa at all but instead define a new default
namespace
<BBB xmlns="http://x.y.org/BBB"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://x.y.org/BBB">
<YYY><ZZZ>Something</ZZZ></YYY>
<BBB>
What is the better or more correct way to go ?
Thanks in advance for any help,
Bernd
_______________________________________________
xmlsec mailing list
xmlsec at aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list