incubator-odf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: FW: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011
Date Wed, 17 Aug 2011 15:33:05 GMT
1. There is no ODF requirement that namespace binding be with a prefix.  The binding can be
with a default namespace (no prefix). 

  1.1 There is no problem with any of the ODF RNG Schemas with how [xml-names] is supported.

  1.2 Although prefixes are always used in the ODF Specification, neither the particular name
for the prefix or the use of a prefix are required.  (However, a prefix is required if attributes
are defined in a namespace.  There is no default namespace for attributes.)  The namespace
binding can be by any means that [xml-names] provides for.  

For example, the NameSpaceResilience-01- and -02- ODF Text documents at
are valid.  (Note that prefix bindings are still used with the attribute names.)

  1.3 The W3C DSig XML Schema allows namespace binding by default and that is what all of
the examples do.  Also, the W3C DSig XML Schema does not assume namespace bindings on attributes
of DSig-defined elements, so having a prefix on those is inappropriate.

  1.4 One problem that we have is some ODF 1.2 META-INF/documentsignatures.xml consumers *expect*
that a default namespace binding is used.  That appears to be a defect.

  1.5 The proposed workaround should provide the greatest interoperability.  See <>
(previously copied to odf-dev).

2. I have no explanation for the duplicate X.509 certificates.  I have seen them in some documents.
 I have no idea why they are produced.  I was asking what implementation and version is producing
them.  I don't see them all the time.  Is it possible simply to ignore the duplication?

 - Dennis

PS: Your attachment did not come through on the list.

-----Original Message-----
From: Biao Han [] 
Sent: Tuesday, August 16, 2011 20:48
Subject: Re: FW: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011

"Dennis E. Hamilton" <> wrote on 2011-08-16 01:59:01:

> From: "Dennis E. Hamilton" <>
> To: "odf-dev ODF Toolkit Incubator" <>
> Date: 2011-08-16 01:58
> Subject: FW: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011
> Now that the list exists, ...
> -----Original Message-----
> From: Dennis E. Hamilton [] 
> Sent: Wednesday, August 10, 2011 08:42
> To: 'Biao Han'
> Subject: RE: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011
> Nicely done.  Thanks for being so visible.
> Another thing you can do is set up an ODFtoolkit blog at Apache.  
> Ideally, the mailing lists will appear soon.
> Two Questions:
>  1.   My impression is that the signatures from OO.o are correct.  
> They do specify namespaces, but use default namespace declarations 
> instead of prefixes.
>   In what way is the signature document incorrect?

The signature document always work. The question is the realization detail. Duplicate X.509
certificate info and without namespace prefix.

>   Also, what versions of are you checking
> signatures against?
>   I have signatures from LibreOffice 3.4 that do not appear to 
> duplicate X.509 certificates and that seem to use namespaces 
> correctly, although dsig namespace is 
> declared with default xmlns declaration.

I attach a sample file. I am sure there are duplicate X.509 certificate info in it.
You can also reference, they face the
same issue.

>  2.   Does ODFDOM fail because of namespace being declared as 
> default or because of something to do with canonicalization?  If the
> XML Digital Signature specification requires default namespace, it 
> may be that ODF specification is incorrect.
>   Have you found expert appraisal of what XML Digital Signature requires?
ODFDOM fails, because the signature file without namespace prefix. This maybe considered
as a bug of ODFDOM.
But all of the other xml files, content.xml, styles.xml. meta.xml, settings.xml and manifest.xml
have namespace prefix. Even the schema of documentsingature.xml has namespace prefix. But
the OpenOffice generated file doesn't have. I suggest OpenOffice should follow this.

<define name="dsig-document-signatures">
<element name="dsig:document-signatures">
<ref name="dsig-document-signatures-attlist"/>
<ref name="ds-signature"/>
<define name="dsig-document-signatures-attlist">
<attribute name="dsig:version">
<define name="ds-signature">
<element name="ds:Signature">
<!-- The permitted content of this element is the permitted -->
<!-- content of the Signature element defined by W3C XML -->
<!-- Signature Syntax and Processing (Second Edition). -->
<!-- See OpenDocument v1.2 part 3, section 4.3. -->
<ref name="dsMarkup"/>

>  - Dennis
> -----Original Message-----
> From: Biao Han [] 
> Sent: Wednesday, August 10, 2011 08:14
> To:;; 
> Cc:
> Subject: Status of the Simple Java API for ODF and ODFDOM - 08/10/2011
> [ ... ]
>    1. Working on data signature. There are two issues caused by OpenOffice
>    block the process.
>        (1) generate a Namespace unaware signature document.
>    ODFDOM loads it fails.
>        (2) creates multiple X509Certificates instead of the
>    correct certification chain under ds:KeyInfo.
>        see also:
> (ds namespace
>          in LibreOffice)
> (ds
>          namespace in OOo)
> (multiple
>          X509Certificate  in OOo)
>        We have to supply two modes to fix it. One follows ODF
>    specification, the other follows Open Office. The question is which is
>    the default?
> [ ... ]
> Regards
> Biao Han (Devin)
> SOA Standards Growth, Emerging Technology Institute(ETI), IBM China
> Software Development Laboratory
> Tel:(86-10)82450541
> Email:
> Address: 3/F Ring Building, No.28 Building, Zhong Guan Cun Software Park,
> No. 8 Dong Bei Wang West Road, ShangDi, Haidian District, Beijing,
> P.R.C.100193
(See attached file: documentsignatures-openoffice.xml)

View raw message