[xmlsec] Signature in different namespace

Simon Josefsson simon at josefsson.org
Tue Oct 16 00:53:33 PDT 2012 

Thank you for insight -- I'm not a XML expert so your pointers and
further elaboration helps, and your email will be a good a reference
when this issue with PSKC is brought up in the IETF.

/Simon

"G. Ken Holman" <gkholman at CraneSoftwrights.com> writes:

> At 2012-10-16 00:23 +0200, Simon Josefsson wrote:
>>"G. Ken Holman" <gkholman at CraneSoftwrights.com> writes:
>>
>> >        <xsd:element ref="ds:Signature" minOccurs="0" maxOccurs="1">
>>...
>> > I hope this helps.
>>
>>Thank you -- 'ref="ds:Signature"' is used in SAML Assertion as well so
>>it seems like a good approach.
>
> Not "good", but correct.  The declaration you showed creates an
> element named "Signature" in the incorrect namespace, not in the
> digital signature namespace.  I believe that example you cite is
> absolutely wrong.
>
>>More insight into this would be appreciated.  Is there any way the RFC
>>6030 approach could work?  I'm concerned that there is an example in the
>>RFC that people may have modelled their implementations after.  My
>>current approach to remove the ds: prefix on the Signature element leads
>>to valid XML so that workaround would works even if isn't kosher.
>
> It may be well-formed XML but it isn't valid according to the XMLDsig
> specification.  That specification states that Signature must be in
> the digital signature namespace (the prefix "ds:" is irrelevant;
> "simon:Signature" is schema valid if
> xmlns:simon="http://www.w3.org/2000/09/xmldsig#").  The specification
> is clear:
>
>  http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-Signature
>
> ... and the spec shows it being declared both with a prefix (in XSD)
> and without a prefix (in DTD).  The prefix is irrelevant.  The
> namespace URI is crucial.
>
> If people don't use XML properly, I can't see why they would expect it
> to work.  This is basic namespace-valid XML stuff.
>
> I have a free video lecture on namespaces (in general, not specific to
> digital signatures) in my XSLT class at:
>
>   http://www.CraneSoftwrights.com/links/udemy-ptux-online.htm
>   (54:09 mark of Module 1 Lecture 1 - The XML Family of Recommendations)
>
>>Having some pointer to text in the XMLDsig standard explaining that this
>>is improper would help.
>
> Why would a standard describe what is incorrect?  How would it know
> what to put in the list if incorrect things before the standard is out
> in the public being incorrectly used?  Wouldn't having such examples
> lead to confusion if users don't read the document properly and start
> quoting the incorrect examples?  Users should just implement it
> correctly.  It looks like some are already reading not reading the
> document properly.
>
> Please forgive my frustration.  This isn't a fault of XML, it is a
> fault of the people writing incorrect examples.
>
> I hope this has helped.
>
> . . . . . . . . Ken
>
>
> --
> Contact us for world-wide XML consulting and instructor-led training
> Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
> Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/z/
> G. Ken Holman                   mailto:gkholman at CraneSoftwrights.com
> Google+ profile: https://plus.google.com/116832879756988317389/about
> Legal business disclaimers:    http://www.CraneSoftwrights.com/legal

More information about the xmlsec mailing list