santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael McIntosh <mike...@us.ibm.com>
Subject Re: doubt with enveloped signature concept
Date Tue, 08 Jan 2008 19:48:52 GMT
Sean.Mullan@Sun.COM wrote on 01/08/2008 02:30:00 PM:

> Francisco Sepulveda wrote:
> > Hello, I'm having problems with respect to what i understand about the
> > concept of an "enveloped signature"
> >
> > The W3C define the signature as /"The signature is over the XML content

> > that contains the signature as an element. The content provides the
root
> > XML document element. Obviously, enveloped signatures must take care
not
> > to include their own value in the calculation of the |SignatureValue|"/
> >
> > I have seen that the following xml document has a broad acceptation as
a
> > typical use of digital signature .... the classic enveloped signature
of
> > the whole document
> >
> > <document>
> >      <element>
> >      </element>
> >      <signature>
> >           <SignedInfo>
> >                  ...
> >                  <Reference URI="">
> >                            <Transforms>
> >                                  <Transform
> > Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/>
> >                            </Transforms>
> >                            <DigestMethod .../>
> >                             <DigestValue> .... </DigestValue>
> >                   </Reference>
> >           </SignedInfo>
> >           ...
> >      </signature>
> > </document>
> >
> > In the above example, there is clear for me that the signature is child

> > of the xml content being signed.
> >
> > But i read in a book from McGrawHill an it shows this example of a
> > signature that is enveloped, enveloping and detached...
> >
> > * *
> >
> > *<Contract1>*
> >
> > *       <ImportantContent Id="ImportantElement">*
> >
> > *                This is important content!*
> >
> > *       </ImportantContent>*
> >
> > * *
> >
> > *      <Signature Id="ThreeTypes">*
> >
> > *              <SignedInfo>*
> >
> > *                    <Reference
> > URI=**"http://www.remote-server.com/file.doc">*
> >
> > *                          . . .*
> >
> > *                    </Reference>*
> >
> > *                    <Reference URI=**"#contract2">*
> >
> > *                           . . .*
> >
> > *                   </Reference>*
> >
> > *                   <Reference URI=**"#ImportantElement">*
> >
> > *                            . . .*
> >
> > *                   </Reference>*
> >
> > *             </SignedInfo>*
> >
> > *             <SignatureValue> . . . </SignatureValue>*
> >
> > *             <Object Id="contract2">*
> >
> > *                        <Contract2> This is also very important
> > content! </Contract2>*
> >
> > *             </Object>*
> >
> > *      </Signature>*
> >
> > *</Contract1>*
> >
> > * *
> >
> > *FOR ME, the detached and enveloping signature are REALLY clear, but i
> > have doubt about the enveloped signature .... the book said*
> >
> > * *
> >
> > *"The Signature Element is enveloped by the <Contract1> element. This
> > particular association gives the XML Signature the enveloped property"*
> >
> > * *
> >
> > * *
> >
> >
> > So, that is my point, maybe i'm wrong but for me the  <Reference
> > URI=*"#ImportantElement"> is a detached signature or not???*
>
> Based on the example above, you're right and the book is wrong. If in
> the example above, the ImportantElement ID was an attribute of the
> Content element then it would be enveloped. It might be nice to send the
> author a comment about that.

I think there is a misunderstanding. This statement
"The Signature Element is enveloped by the <Contract1> element. This
particular association gives the XML Signature the enveloped property"
is correct. The Contract1 element envelopes the Signature element.

The <Reference URI=*"#ImportantElement"> is a detached Signature..

What we do not know, without more information, is whether the <Reference
URI="http://www.remote-server.com/file.doc"> points to the document that
contains the Contract1 element. If it does, that is an Enveloped Signature.

>
> >
> > My final question is, if a really want to sign the <ImportantContent>
> > element using an enveloped signature. Do i really need to put the
> > signature as child of the <ImportantContent> element or not?? does the
> > location of the signature have a significant impact?
>
> Yes, otherwise it is not an enveloped signature.
>
> > or when the
> > signature is enveloped it is allways located as the "last child" of the

> > document element inside an XML document..
>
> It doesn't have to be the last child, it could be the first, the second,
> or any descendant element.
>
> --Sean


Mime
View raw message