Return-Path: 
 <cocoon-dev-return-22901-apmail-xml-cocoon-dev-archive=xml.apache.org@xml.apache.org>
Delivered-To: apmail-xml-cocoon-dev-archive@xml.apache.org
Received: (qmail 97177 invoked by uid 500); 17 Feb 2002 15:17:31 -0000
Mailing-List: contact cocoon-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:cocoon-dev-help@xml.apache.org>
list-unsubscribe: <mailto:cocoon-dev-unsubscribe@xml.apache.org>
list-post: <mailto:cocoon-dev@xml.apache.org>
Reply-To: cocoon-dev@xml.apache.org
Delivered-To: mailing list cocoon-dev@xml.apache.org
Received: (qmail 97164 invoked from network); 17 Feb 2002 15:17:31 -0000
Message-ID: <3C6FC7FF.3090201@hartle-klug.com>
Date: Sun, 17 Feb 2002 16:10:55 +0100
From: Michael Hartle <mhartle@hartle-klug.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:0.9.8) Gecko/20020204
X-Accept-Language: en-us
MIME-Version: 1.0
To: cocoon-dev@xml.apache.org
Subject: Re: xml-signature
References: <79422084-23B3-11D6-ADE2-000A27E14D02@uwaterloo.ca>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Jason Foster wrote:

>> What about a SigningTransformer and a VerifyingTransformer ? The 
>> SigningTransformer would then sign the referenced portions as the 
>> last transformer in a pipeline; the VerifyingTransformer would check 
>> the signatures as the first transformer, either passing the correct 
>> content through or somehow marking the content or signature as 
>> invalid. I hope I understood the spec correctly so far; I guess that 
>> the specification does not apply to other content than serialized XML.
>
> My take on the specification, but I can't claim perfect understanding, 
> is that it covers signing any kind of content.  Quoting from the 
> Introduction:
>
>> XML Signatures can be applied to any digital content (data object), 
>> including XML. An XML Signature may be applied to the content of one 
>> or more resources. Enveloped or enveloping signatures are over data 
>> within the same XML document as the signature; detached signatures 
>> are over data 
>> external to the signature element. 
>
You are right, you can sign any digital content, but the signature 
itself is detached, not contained in these non-xml binary formats; 
understood - the example at 
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-o-Simple shows 
a signature for  http://www.w3.org/TR/2000/REC-xhtml1-20000126.

> For enveloped signatures, your suggestion should work fine.  The trick 
> seems to be how to handle detached signatures.

We could handle it like X/CIncludeTransformers work, letting the 
SignatureTransformer fire up on something like

<sig:sign src="http://some.external.doc/to/be/sig.ned">
    <sig:Transforms>
        <sig:Transform 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    </sig:Transforms>
    <sig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</sig:sign>

That way it would be possible to both sign an arbitrary resource and 
portions of the already generated content, via an XPath expression for 
example.

Best regards,

Michael Hartle,
Hartle & Klug GbR


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org