[xmlsec] Re: Detached Signatures (same-document)
aleksey at aleksey.com
Sun Oct 10 21:20:54 PDT 2004
Please, read the FAQ for explanations why it is done the way it is done.
Larry Bugbee wrote:
> A DTD might suffice as a temporary workaround, but I don't believe a
> user of xmlsec or pyxmlsec should have to supply a DTD to fix things.
> Especially as Andrew points out, when such is not the case with other
> implementations. Are we not in need of a change?
> To xmlsec or libxml2? I can see a lot of points and counterpoints, but
> my first impression is that xmlsec should accept 'Id' attributes if the
> value matches the signature's URI fragment reference. Is a change to
> libxml the right way to do that? I dunno. Like I said,
> point/counterpoint. ...but something's not right.
> ...and I was so close. ;-)
> See also:
> October/000023.html (and #24)
> On Oct 10, 2004, at 7:20 PM, Andrew Fan wrote:
>> Larry Bugbee wrote:
>>> I read your email thread from a couple of months back having to do
>>> with detached signatures.
>>> (http://www.aleksey.com/pipermail/xmlsec/2003/001154.html) I'm
>>> having the same problem and am not happy with the 'suggested
>>> solution'. Before I go any further I want to check and see if you
>>> discovered anything new.
>>> Rereading the W3C specification, section 4.3.3 and especially
>>> 126.96.36.199, I see the word 'MUST' several times and no hint at needing
>>> to provide a DTD. ...although FAQ section 3.2
>>> (http://www.aleksey.com/xmlsec/faq.html) talks about a DTD to cover
>>> a *warning* for empty node sets. But, if they are not empty, a DTD
>>> should not be necessary. I believe there is an implementation error
>>> somewhere between xmlsec and libxml.
>> Yes, there is some implementation error or unintent of xmlsec or
>> libxml. It is sure that ID is an DTD defined attributes, but other
>> xml security toolkits( such as java, apache ) treats it as ID
>> attribute, while libxml just treats it as normal attribute during the
>> DOM building. Because core xmlsec take no responsibility to build a
>> the DOM, so it have no ideas to find the ID refered node, I think.
>> I implemented according to Alsksey's suggections in his FAQs.
>>> Am I missing something?
More information about the xmlsec