Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 72199 invoked from network); 6 Aug 2007 15:10:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Aug 2007 15:10:39 -0000 Received: (qmail 9285 invoked by uid 500); 6 Aug 2007 15:10:38 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 9263 invoked by uid 500); 6 Aug 2007 15:10:38 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 9252 invoked by uid 99); 6 Aug 2007 15:10:37 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Aug 2007 08:10:37 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=MSGID_MULTIPLE_AT,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [128.146.216.81] (HELO defang1.it.ohio-state.edu) (128.146.216.81) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Aug 2007 15:10:23 +0000 Received: from defang9.it.ohio-state.edu (defang9.it.ohio-state.edu [128.146.216.78]) by defang1.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id l76FA9bY027751 for ; Mon, 6 Aug 2007 11:10:09 -0400 Received: from bytor ([128.146.243.32]) by defang9.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id l76FA8XG009253 for ; Mon, 6 Aug 2007 11:10:09 -0400 From: "Scott Cantor" To: References: <015c01c7d471$13491ca0$39db55e0$%2@osu.edu> <200708061054.23113.ralph-xmlsecurity@ralphholz.de> In-Reply-To: <200708061054.23113.ralph-xmlsecurity@ralphholz.de> Subject: RE: Signing just one of the elements in a DOMDocument Date: Mon, 6 Aug 2007 11:10:09 -0400 Organization: The Ohio State University Message-ID: <003b01c7d83b$e0fd1160$a2f73420$@2@osu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-index: AcfYB3ASS16XHRdQTuW3x2O97lc4wgANB4ow Content-language: en-us X-Spam-Score: 2.00 (**) [Tag at 4.50] J_CHICKENPOX_32,MSGID_MULTIPLE_AT X-CanItPRO-Stream: outbound X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.81 X-Virus-Checked: Checked by ClamAV on apache.org > > Yes, but it's somewhat difficult. You can either use an XPath filter > > transform to select the node, or refer to the node by an ID attribute. > > It's not 100% clear to me how you mean that, but I am new to XML Security > (though not to XML). Do you see the problem in retrieving the correct XML > element from the tree (both for signer and receiver), but not in the > signing process itself? The signing step is transparent to the caller once you have created the transforms you want. Other than creating the XPath (quite simple unless you don't know XPath), it's easy to do. The problem is in the verification step, where an infinite number of XPaths produce the same node set, so determining what's been signed is difficult or inefficient. ID-based signing is much cleaner, but requires schemas or application-specific knowledge, at least prior to the emergence of xml:id. -- Scott