[xmlsec] Re: Detached Signatures (same-document)

Larry Bugbee bugbee at seanet.com
Sun Oct 10 21:52:07 PDT 2004

I did.  ...but it didn't seem right and hence my note.  I'm just trying 
to understand if indeed something needs fixing rather than a DTD 

I didn't expect this issue to have a clean answer hence 
'point/counterpoint'.  One could even argue the W3C specification is 
incorrect.  I'm inclined to think not, but who knows?

I believe an implementation of the W3C recommendation should not 
require the user to add a DTD simply to do same-document detached 
signatures.  I haven't tested java or apache yet, but if what Andrew 
says is true, the DTD should not be necessary.  A number of other 
programmers were expecting that to be the case given the postings I 

What am I missing?

My thanks,


On Oct 10, 2004, at 9:20 PM, Aleksey Sanin wrote:

> Please, read the FAQ for explanations why it is done the way it is 
> done.
> Aleksey
> Larry Bugbee wrote:
>> Aleksey,
>> A DTD might suffice as a temporary workaround, but I don't believe a  
>> user of xmlsec or pyxmlsec should have to supply a DTD to fix things. 
>>   Especially as Andrew points out, when such is not the case with 
>> other  implementations.  Are we not in need of a change?
>> To xmlsec or libxml2?  I can see a lot of points and counterpoints, 
>> but  my first impression is that xmlsec should accept 'Id' attributes 
>> if the  value matches the signature's URI fragment reference.  Is a 
>> change to  libxml the right way to do that?  I dunno.  Like I said,  
>> point/counterpoint.  ...but something's not right.
>> Thots?
>> ...and I was so close.  ;-)
>> Larry
>> See also:
>>   http://www.aleksey.com/pipermail/xmlsec/2003/001154.html
>> http://lists.labs.libre-entreprise.org/pipermail/pyxmlsec-devel/2004- 
>> October/000023.html (and #24)
>> On Oct 10, 2004, at 7:20 PM, Andrew Fan wrote:
>>> Larry Bugbee wrote:
>>>> Andrew,
>>>> I read your email thread from a couple of months back having to do  
>>>> with detached signatures.   
>>>> (http://www.aleksey.com/pipermail/xmlsec/2003/001154.html)  I'm  
>>>> having the same problem and am not happy with the 'suggested  
>>>> solution'.  Before I go any further I want to check and see if you  
>>>> discovered anything new.
>>>> Rereading the W3C specification, section 4.3.3 and especially  
>>>>, I see the word 'MUST' several times and no hint at needing 
>>>>  to provide a DTD.  ...although FAQ section 3.2  
>>>> (http://www.aleksey.com/xmlsec/faq.html) talks about a DTD to cover 
>>>> a  *warning* for empty node sets.  But, if they are not empty, a 
>>>> DTD  should not be necessary.  I believe there is an implementation 
>>>> error  somewhere between xmlsec and libxml.
>>> Yes, there is some implementation error or unintent of xmlsec or  
>>> libxml. It is sure that ID is an DTD defined attributes, but other 
>>> xml  security toolkits( such as java, apache ) treats it as ID 
>>> attribute,  while libxml just treats it as normal attribute during 
>>> the DOM  building. Because core xmlsec take no responsibility to 
>>> build a the  DOM, so it have no ideas to find the ID refered node, I 
>>> think.
>>> I implemented according to Alsksey's suggections in his FAQs.
>>>> Am I missing something?
>>>> Thanks,
>>>> Larry

More information about the xmlsec mailing list