[xmlsec] Handling the SignedInfo element for signing

Si St sigbj-st at operamail.com
Sun Nov 20 13:13:44 PST 2011 

As to your reference  http://www.w3.org/TR/xmldsig-core/#sec-Secure
it is quite laborious to read and to fully understand, but it seems as
if one can read out that everything depends upon the verification
program/application being able to roll back what the signing application
has set forth. The phrase: "SHOULD NOT use internal entities and SHOULD
represent the namespace" is difficult to understand without
examplification done on to the SignedInfo directly.
-- 
  Si St
  sigbj-st at operamail.com


On Saturday, November 19, 2011 2:14 PM, "G. Ken Holman"
<gkholman at CraneSoftwrights.com> wrote:
> Please ask your questions publicly and not privately.
OK. Here is the message that fell out of the public posting:
This clearifies to a point, but should the declaration be there or not
like this?

<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
<Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>Tjq6LcMyR4JsrCDQdS9kwGYzo8o=</DigestValue>
</Reference>
</SignedInfo>

The declaration is taken from 
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
that comes before SignedInfo
The idea is taken from this site:
http://www.di-mgt.com.au/xmldsig.html
and I wonder if it is right or wrong and if right,is it part of the
digest calculation?
-- 
  Si St
  sigbj-st at operamail.com
> 
> At 2011-11-19 10:56 -0800, you wrote:
> >This clearifies to a point, but should the declaration be there or not
> >like this?
> 
> Does this help?
> 
>    http://www.w3.org/TR/xmldsig-core/#sec-Secure
>    Applications that do not canonicalize XML content (especially
>    the SignedInfo element) SHOULD NOT use internal entities and
>    SHOULD represent the namespace explicitly within the content
>    being signed since they can not rely upon canonicalization to
>    do this for them.
> 
> . . . . . . . . . . . . Ken
> 
> 
> --
> Contact us for world-wide XML consulting and instructor-led training
> Free 5-hour video lecture: XSLT/XPath 1.0 & 2.0 http://ude.my/t37DVX
> Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/m/
> G. Ken Holman                   mailto:gkholman at CraneSoftwrights.com
> Google+ profile: https://plus.google.com/116832879756988317389/about
> Legal business disclaimers:    http://www.CraneSoftwrights.com/legal
> 
> 

-- 
http://www.fastmail.fm - Does exactly what it says on the tin

More information about the xmlsec mailing list