[xmlsec] Re: Detached Signatures (same-document)
bugbee at seanet.com
Sun Oct 10 21:52:07 PDT 2004
I did. ...but it didn't seem right and hence my note. I'm just trying
to understand if indeed something needs fixing rather than a DTD
I didn't expect this issue to have a clean answer hence
'point/counterpoint'. One could even argue the W3C specification is
incorrect. I'm inclined to think not, but who knows?
I believe an implementation of the W3C recommendation should not
require the user to add a DTD simply to do same-document detached
signatures. I haven't tested java or apache yet, but if what Andrew
says is true, the DTD should not be necessary. A number of other
programmers were expecting that to be the case given the postings I
What am I missing?
On Oct 10, 2004, at 9:20 PM, Aleksey Sanin wrote:
> Please, read the FAQ for explanations why it is done the way it is
> Larry Bugbee wrote:
>> A DTD might suffice as a temporary workaround, but I don't believe a
>> user of xmlsec or pyxmlsec should have to supply a DTD to fix things.
>> Especially as Andrew points out, when such is not the case with
>> other implementations. Are we not in need of a change?
>> To xmlsec or libxml2? I can see a lot of points and counterpoints,
>> but my first impression is that xmlsec should accept 'Id' attributes
>> if the value matches the signature's URI fragment reference. Is a
>> change to libxml the right way to do that? I dunno. Like I said,
>> point/counterpoint. ...but something's not right.
>> ...and I was so close. ;-)
>> See also:
>> October/000023.html (and #24)
>> On Oct 10, 2004, at 7:20 PM, Andrew Fan wrote:
>>> Larry Bugbee wrote:
>>>> I read your email thread from a couple of months back having to do
>>>> with detached signatures.
>>>> (http://www.aleksey.com/pipermail/xmlsec/2003/001154.html) I'm
>>>> having the same problem and am not happy with the 'suggested
>>>> solution'. Before I go any further I want to check and see if you
>>>> discovered anything new.
>>>> Rereading the W3C specification, section 4.3.3 and especially
>>>> 188.8.131.52, I see the word 'MUST' several times and no hint at needing
>>>> to provide a DTD. ...although FAQ section 3.2
>>>> (http://www.aleksey.com/xmlsec/faq.html) talks about a DTD to cover
>>>> a *warning* for empty node sets. But, if they are not empty, a
>>>> DTD should not be necessary. I believe there is an implementation
>>>> error somewhere between xmlsec and libxml.
>>> Yes, there is some implementation error or unintent of xmlsec or
>>> libxml. It is sure that ID is an DTD defined attributes, but other
>>> xml security toolkits( such as java, apache ) treats it as ID
>>> attribute, while libxml just treats it as normal attribute during
>>> the DOM building. Because core xmlsec take no responsibility to
>>> build a the DOM, so it have no ideas to find the ID refered node, I
>>> I implemented according to Alsksey's suggections in his FAQs.
>>>> Am I missing something?
More information about the xmlsec