> What if we add a second Reference in the ds:Signature for 'each' payload so that
> there would be two references to the same cid, for each payload. I looked in
> the dSig spec and there doesn't seem to be any prohibition on this.
Yes, that's totally legal.
I have a different idea.
Take the MIME headers that you want to protect, convert them into UTF-8,
turn all sequences of multi-line headers into a single line (i.e., turn
"[\r\n]+[ \t]+" into " "). Base64 encode that. Define an ebXML element
to hold that text string. It should be a string of type
"xsi:base64Binary" and it should have an attribute of type "xsi:anyURI"
that contains the CID pointing to the MIME multipart.
We now have a new XML element that contains "a" canonical form of the
MIME headers, and a link to the "original" headers.
XMLDSIG includes an "Object" element that can contain anything. All an
ebXML DSIG to contain an Object whose content is the ebXML element
described above, and a Reference to that object.
Parties concerned about MITM MIME tampering can create the object,
parties not concerned will just see a little bit of XML content to hash.
Hope this helps. Let me know if more explanation -- or a concete
example -- is needed.
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com