[xmlsec] Signature in different namespace
simon at josefsson.org
Tue Oct 16 00:53:33 PDT 2012
Thank you for insight -- I'm not a XML expert so your pointers and
further elaboration helps, and your email will be a good a reference
when this issue with PSKC is brought up in the IETF.
"G. Ken Holman" <gkholman at CraneSoftwrights.com> writes:
> At 2012-10-16 00:23 +0200, Simon Josefsson wrote:
>>"G. Ken Holman" <gkholman at CraneSoftwrights.com> writes:
>> > <xsd:element ref="ds:Signature" minOccurs="0" maxOccurs="1">
>> > I hope this helps.
>>Thank you -- 'ref="ds:Signature"' is used in SAML Assertion as well so
>>it seems like a good approach.
> Not "good", but correct. The declaration you showed creates an
> element named "Signature" in the incorrect namespace, not in the
> digital signature namespace. I believe that example you cite is
> absolutely wrong.
>>More insight into this would be appreciated. Is there any way the RFC
>>6030 approach could work? I'm concerned that there is an example in the
>>RFC that people may have modelled their implementations after. My
>>current approach to remove the ds: prefix on the Signature element leads
>>to valid XML so that workaround would works even if isn't kosher.
> It may be well-formed XML but it isn't valid according to the XMLDsig
> specification. That specification states that Signature must be in
> the digital signature namespace (the prefix "ds:" is irrelevant;
> "simon:Signature" is schema valid if
> xmlns:simon="http://www.w3.org/2000/09/xmldsig#"). The specification
> is clear:
> ... and the spec shows it being declared both with a prefix (in XSD)
> and without a prefix (in DTD). The prefix is irrelevant. The
> namespace URI is crucial.
> If people don't use XML properly, I can't see why they would expect it
> to work. This is basic namespace-valid XML stuff.
> I have a free video lecture on namespaces (in general, not specific to
> digital signatures) in my XSLT class at:
> (54:09 mark of Module 1 Lecture 1 - The XML Family of Recommendations)
>>Having some pointer to text in the XMLDsig standard explaining that this
>>is improper would help.
> Why would a standard describe what is incorrect? How would it know
> what to put in the list if incorrect things before the standard is out
> in the public being incorrectly used? Wouldn't having such examples
> lead to confusion if users don't read the document properly and start
> quoting the incorrect examples? Users should just implement it
> correctly. It looks like some are already reading not reading the
> document properly.
> Please forgive my frustration. This isn't a fault of XML, it is a
> fault of the people writing incorrect examples.
> I hope this has helped.
> . . . . . . . . Ken
> Contact us for world-wide XML consulting and instructor-led training
> Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
> Crane Softwrights Ltd. http://www.CraneSoftwrights.com/z/
> G. Ken Holman mailto:gkholman at CraneSoftwrights.com
> Google+ profile: https://plus.google.com/116832879756988317389/about
> Legal business disclaimers: http://www.CraneSoftwrights.com/legal
More information about the xmlsec