Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 89226 invoked from network); 1 Aug 2007 21:38:49 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Aug 2007 21:38:49 -0000 Received: (qmail 17432 invoked by uid 500); 1 Aug 2007 21:38:48 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 17417 invoked by uid 500); 1 Aug 2007 21:38:48 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 17406 invoked by uid 99); 1 Aug 2007 21:38:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Aug 2007 14:38:47 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=MSGID_MULTIPLE_AT,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [128.146.216.133] (HELO defang19.it.ohio-state.edu) (128.146.216.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Aug 2007 21:38:33 +0000 Received: from defang10.it.ohio-state.edu (defang10.it.ohio-state.edu [128.146.216.79]) by defang19.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id l71LcHOR015741 for ; Wed, 1 Aug 2007 17:38:17 -0400 Received: from bytor ([128.146.242.140]) by defang10.it.ohio-state.edu (8.13.7/8.13.1) with ESMTP id l71LcH3X024059 for ; Wed, 1 Aug 2007 17:38:17 -0400 From: "Scott Cantor" To: References: In-Reply-To: Subject: RE: Signing just one of the elements in a DOMDocument Date: Wed, 1 Aug 2007 17:38:17 -0400 Organization: The Ohio State University Message-ID: <016d01c7d484$45dd6fa0$d1984ee0$@2@osu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-index: AcfUfQJsO5taE4OvQJSK3JoUWgAk/gABtyCg Content-Language: en-us X-Spam-Score: 1.40 (*) [Tag at 4.50] MSGID_MULTIPLE_AT X-CanItPRO-Stream: outbound X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.133 X-Virus-Checked: Checked by ClamAV on apache.org > say i want to only sign the body of the second note element. How do you i > go about doing this if i use the XPath way how do i uniquely identify the > second note's body. I don't use XPath, so I'm not the one to ask. The problem you face with it is that the relying party has to examine the XPath when he verifies in order to determine what was signed. Since any number of expressions will result in the same node set, this is basically impossible, so you have to exchange information out of band about the expressions to look for, or the RP has to recompute the node set as part of verification (or get at the node set produced while using the signature verifier). This is the second most common omission in signature verification, checking what was signed. (The most common is relying on KeyInfo as trusted information.) -- Scott