santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Cantor" <canto...@osu.edu>
Subject RE: Signing just one of the elements in a DOMDocument
Date Wed, 01 Aug 2007 21:38:17 GMT
> say i want to only sign the body of the second note element. How do you i
> go about doing this if i use the XPath way how do i uniquely identify the
> second note's body.

I don't use XPath, so I'm not the one to ask.

The problem you face with it is that the relying party has to examine the
XPath when he verifies in order to determine what was signed. Since any
number of expressions will result in the same node set, this is basically
impossible, so you have to exchange information out of band about the
expressions to look for, or the RP has to recompute the node set as part of
verification (or get at the node set produced while using the signature
verifier).

This is the second most common omission in signature verification, checking
what was signed. (The most common is relying on KeyInfo as trusted
information.)

-- Scott



Mime
View raw message