Rich,
I think that the "for the SOAP..." is the problem.
The Signature is "for" the envelope, it "goes in"
the SOAP Header.
The Reference/@URI="" does the work of ensuring that
it is the envelope which is digested (exclusive of
the Signature by means of the transforms).
Cheers,
Chris
Rich Salz wrote:
> I think it should be "as a SOAP Header". If the intent is to put an XML
> DSIG as a Header element inside the SOAP envelope.
>
>
>>Section 4.1.3 Signature Generation, line 1068 states:
>>
>>1) Creat a ds:SignedInfo element with ds:SignatureMethod,
>>ds:CanonicalizationMethod, and ds:Reference elements for the SOAP
>>Header and any required payload objects, as prescribed by [XMLDSIG].
>>
>>Shouldn't the phrase "SOAP Header" be replaced with "SOAP Envelope"
>>instead? Don't we want to sign the SOAP Body as well?
>>
>