santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Cantor" <canto...@osu.edu>
Subject RE: Signing just one of the elements in a DOMDocument
Date Mon, 06 Aug 2007 15:10:09 GMT
> > Yes, but it's somewhat difficult. You can either use an XPath filter
> > transform to select the node, or refer to the node by an ID attribute.
> 
> It's not 100% clear to me how you mean that, but I am new to XML Security
> (though not to XML). Do you see the problem in retrieving the correct XML
> element from the tree (both for signer and receiver), but not in the
> signing process itself?

The signing step is transparent to the caller once you have created the
transforms you want. Other than creating the XPath (quite simple unless you
don't know XPath), it's easy to do.

The problem is in the verification step, where an infinite number of XPaths
produce the same node set, so determining what's been signed is difficult or
inefficient.

ID-based signing is much cleaner, but requires schemas or
application-specific knowledge, at least prior to the emergence of xml:id.

-- Scott



Mime
View raw message