[xmlsec] Signature in different namespace
G. Ken Holman
gkholman at CraneSoftwrights.com
Mon Oct 15 15:40:37 PDT 2012
At 2012-10-16 00:23 +0200, Simon Josefsson wrote:
>"G. Ken Holman" <gkholman at CraneSoftwrights.com> writes:
> > <xsd:element ref="ds:Signature" minOccurs="0" maxOccurs="1">
> > I hope this helps.
>Thank you -- 'ref="ds:Signature"' is used in SAML Assertion as well so
>it seems like a good approach.
Not "good", but correct. The declaration you showed creates an
element named "Signature" in the incorrect namespace, not in the
digital signature namespace. I believe that example you cite is
>More insight into this would be appreciated. Is there any way the RFC
>6030 approach could work? I'm concerned that there is an example in the
>RFC that people may have modelled their implementations after. My
>current approach to remove the ds: prefix on the Signature element leads
>to valid XML so that workaround would works even if isn't kosher.
It may be well-formed XML but it isn't valid according to the XMLDsig
specification. That specification states that Signature must be in
the digital signature namespace (the prefix "ds:" is irrelevant;
"simon:Signature" is schema valid if
xmlns:simon="http://www.w3.org/2000/09/xmldsig#"). The specification is clear:
... and the spec shows it being declared both with a prefix (in XSD)
and without a prefix (in DTD). The prefix is irrelevant. The
namespace URI is crucial.
If people don't use XML properly, I can't see why they would expect
it to work. This is basic namespace-valid XML stuff.
I have a free video lecture on namespaces (in general, not specific
to digital signatures) in my XSLT class at:
(54:09 mark of Module 1 Lecture 1 - The XML Family of Recommendations)
>Having some pointer to text in the XMLDsig standard explaining that this
>is improper would help.
Why would a standard describe what is incorrect? How would it know
what to put in the list if incorrect things before the standard is
out in the public being incorrectly used? Wouldn't having such
examples lead to confusion if users don't read the document properly
and start quoting the incorrect examples? Users should just
implement it correctly. It looks like some are already reading not
reading the document properly.
Please forgive my frustration. This isn't a fault of XML, it is a
fault of the people writing incorrect examples.
I hope this has helped.
. . . . . . . . Ken
Contact us for world-wide XML consulting and instructor-led training
Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/
G. Ken Holman mailto:gkholman at CraneSoftwrights.com
Google+ profile: https://plus.google.com/116832879756988317389/about
Legal business disclaimers: http://www.CraneSoftwrights.com/legal
More information about the xmlsec