OASIS ebXML Messaging Services TC

 View Only

  • 1.  Re: Signature Transforms

    Posted 08-24-2001 11:44 
    David:

The example starting on line 2045 is not consistent with the description
on lines 2027 - 2036. I think there should be an enveloped-signature
transform in the example to exclude the ds:Signature element.

The enveloped signature transform is defined as follows in
http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/:

6.6.4 Enveloped Signature Transform
Identifier:
http://www.w3.org/2000/09/xmldsig#enveloped-signature
An enveloped signature transform T removes the whole Signature element
containing T from the digest calculation of the Reference element containing
T. The entire string of characters used by an XML processor to match the
Signature with the XML production element is removed. The output of the
transform is equivalent to the output that would result from replacing T
with an XPath transform containing the following XPath parameter element:

   <XPath xmlns:dsig="&dsig;">
   count(ancestor-or-self::dsig:Signature |
   here()/ancestor::dsig:Signature[1]) >
   count(ancestor-or-self::dsig:Signature)</XPath>

-Arvola

-----Original Message-----
From: David Fischer <david@drummondgroup.com>
To: Ralph Berwanger <rberwanger@bTrade.com>
Cc: ebXML Msg <ebxml-msg@lists.oasis-open.org>
Date: Friday, August 24, 2001 8:27 AM
Subject: Signature Transforms


Hi Ralph,

Remember in Vienna when we went back and forth on whether it is necessary to
create a transform to exclude the Signature element?  I'm still not sure. .
.

http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/

       <Reference URI="">
         <Transforms>
           <Transform
             Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
             <XPath xmlns:dsig="&dsig;">

not(ancestor-or-self::dsig:Signature)
             </XPath>
           </Transform>
         </Transforms>
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <DigestValue>. . .</DigestValue>
       </Reference>

This seems to have a Transform excluding the Signature element.  However, in
our
example on page 54 we have:

       <ds:Reference URI="">
            <Transforms>
                <Transform
Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                  <XPath xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                              not(ancestor-or-self::eb:TraceHeaderList or
                      ancestor-or-self::eb:Via)
                 </XPath>
                 </Transform>
             </Transforms>
         <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
         <ds:DigestValue>...</ds:DigestValue>
       </ds:Reference>

We don't exclude the Signature in the Transform.  In Vienna, we decided that
this happened automatically, can you confirm?

Regards,

David Fischer
Drummond Group.


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>


Related Content