[xmlsec] Handling the SignedInfo element for signing

Si St sigbj-st at operamail.com
Sun Nov 20 13:13:44 PST 2011

As to your reference  http://www.w3.org/TR/xmldsig-core/#sec-Secure
it is quite laborious to read and to fully understand, but it seems as
if one can read out that everything depends upon the verification
program/application being able to roll back what the signing application
has set forth. The phrase: "SHOULD NOT use internal entities and SHOULD
represent the namespace" is difficult to understand without
examplification done on to the SignedInfo directly.
  Si St
  sigbj-st at operamail.com

On Saturday, November 19, 2011 2:14 PM, "G. Ken Holman"
<gkholman at CraneSoftwrights.com> wrote:
> Please ask your questions publicly and not privately.
OK. Here is the message that fell out of the public posting:
This clearifies to a point, but should the declaration be there or not
like this?

<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<Reference URI="">

The declaration is taken from 
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
that comes before SignedInfo
The idea is taken from this site:
and I wonder if it is right or wrong and if right,is it part of the
digest calculation?
  Si St
  sigbj-st at operamail.com
> At 2011-11-19 10:56 -0800, you wrote:
> >This clearifies to a point, but should the declaration be there or not
> >like this?
> Does this help?
>    http://www.w3.org/TR/xmldsig-core/#sec-Secure
>    Applications that do not canonicalize XML content (especially
>    the SignedInfo element) SHOULD NOT use internal entities and
>    SHOULD represent the namespace explicitly within the content
>    being signed since they can not rely upon canonicalization to
>    do this for them.
> . . . . . . . . . . . . Ken
> --
> Contact us for world-wide XML consulting and instructor-led training
> Free 5-hour video lecture: XSLT/XPath 1.0 & 2.0 http://ude.my/t37DVX
> Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/m/
> G. Ken Holman                   mailto:gkholman at CraneSoftwrights.com
> Google+ profile: https://plus.google.com/116832879756988317389/about
> Legal business disclaimers:    http://www.CraneSoftwrights.com/legal

http://www.fastmail.fm - Does exactly what it says on the tin

More information about the xmlsec mailing list