cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Hartle <mhar...@hartle-klug.com>
Subject Re: xml-signature
Date Sun, 17 Feb 2002 15:10:55 GMT
Jason Foster wrote:

>> What about a SigningTransformer and a VerifyingTransformer ? The 
>> SigningTransformer would then sign the referenced portions as the 
>> last transformer in a pipeline; the VerifyingTransformer would check 
>> the signatures as the first transformer, either passing the correct 
>> content through or somehow marking the content or signature as 
>> invalid. I hope I understood the spec correctly so far; I guess that 
>> the specification does not apply to other content than serialized XML.
>
> My take on the specification, but I can't claim perfect understanding, 
> is that it covers signing any kind of content.  Quoting from the 
> Introduction:
>
>> XML Signatures can be applied to any digital content (data object), 
>> including XML. An XML Signature may be applied to the content of one 
>> or more resources. Enveloped or enveloping signatures are over data 
>> within the same XML document as the signature; detached signatures 
>> are over data 
>> external to the signature element. 
>
You are right, you can sign any digital content, but the signature 
itself is detached, not contained in these non-xml binary formats; 
understood - the example at 
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-o-Simple shows 
a signature for  http://www.w3.org/TR/2000/REC-xhtml1-20000126.

> For enveloped signatures, your suggestion should work fine.  The trick 
> seems to be how to handle detached signatures.

We could handle it like X/CIncludeTransformers work, letting the 
SignatureTransformer fire up on something like

<sig:sign src="http://some.external.doc/to/be/sig.ned">
    <sig:Transforms>
        <sig:Transform 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    </sig:Transforms>
    <sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</sig:sign>

That way it would be possible to both sign an arbitrary resource and 
portions of the already generated content, via an XPath expression for 
example.

Best regards,

Michael Hartle,
Hartle & Klug GbR


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message