Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 40121 invoked from network); 8 Jan 2008 19:46:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Jan 2008 19:46:47 -0000 Received: (qmail 93073 invoked by uid 500); 8 Jan 2008 19:46:35 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 93049 invoked by uid 500); 8 Jan 2008 19:46:35 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 93038 invoked by uid 99); 8 Jan 2008 19:46:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jan 2008 11:46:35 -0800 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of shepu_2002@hotmail.com designates 65.54.246.102 as permitted sender) Received: from [65.54.246.102] (HELO bay0-omc1-s30.bay0.hotmail.com) (65.54.246.102) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jan 2008 19:46:10 +0000 Received: from BAY110-W2 ([65.54.229.102]) by bay0-omc1-s30.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 8 Jan 2008 11:46:15 -0800 Message-ID: Content-Type: multipart/alternative; boundary="_23f18ec9-6a3c-4edd-b7c7-864ca874e92d_" X-Originating-IP: [200.75.7.253] From: Francisco Sepulveda To: Subject: RE: doubt with enveloped signature concept Date: Tue, 8 Jan 2008 19:46:14 +0000 Importance: Normal In-Reply-To: <4783CF38.3020900@sun.com> References: <4783CF38.3020900@sun.com> MIME-Version: 1.0 X-OriginalArrivalTime: 08 Jan 2008 19:46:15.0115 (UTC) FILETIME=[2107A9B0:01C8522F] X-Virus-Checked: Checked by ClamAV on apache.org --_23f18ec9-6a3c-4edd-b7c7-864ca874e92d_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable thank you Sean for you time, i was almost getting crazy because all the the= ory was collapsing in my mind ahahah because of the example of the book... =20 I'm using the xmlsec java classes to sign documents ... i have to develop c= lasses that support different kind of signatures... =20 my point is ... let's suppose that i get the following XML document as inpu= t =20 =20 =20 =20 so if i have to create an enveloped signature for the element "element" =20 the result should be the following rigth? =20 =20 ..... =20 Using the java API (javax.xml.crypto.dsig) i will have to construct the out= put xml document showed above with the signature ??? let say using a Docume= ntBuilderFactory instance and the createElement method or there is a tra= nsparent way for the programmer to put the signature element inside the ele= ment "element"?? just using the Reference, SignedInfo and the rest of the t= raditional classes...? =20 Is my question a common application of digital signature ??? or am i comple= tely lost ???.... i am and undergraduate student working for his bachelor a= nd this is an investigation thesis so i'm laying the rules for secure stand= ar communications ..... =3D(=20 Thanks Again =20 Francisco> Date: Tue, 8 Jan 2008 14:30:00 -0500> From: Sean.Mullan@Sun.COM>= Subject: Re: doubt with enveloped signature concept> To: security-dev@xml.= apache.org> > Francisco Sepulveda wrote:> > Hello, I'm having problems with= respect to what i understand about the > > concept of an "enveloped signat= ure"> > > > The W3C define the signature as /"The signature is over the XML= content > > that contains the signature as an element. The content provide= s the root > > XML document element. Obviously, enveloped signatures must t= ake care not > > to include their own value in the calculation of the |Sign= atureValue|"/> > > > I have seen that the following xml document has a broa= d acceptation as a > > typical use of digital signature .... the classic en= veloped signature of > > the whole document> > > > > > >= > > > > > > > ...> > = > > > > > Algorithm=3Dhttp://www.w3.org/2000/09/xm= ldsig#enveloped-signature/>> > > > > > .... > > > > > > ...> > > > > > > > In the above example, there is clear for m= e that the signature is child > > of the xml content being signed.> > > > B= ut i read in a book from McGrawHill an it shows this example of a > > signa= ture that is enveloped, enveloping and detached...> > > > * *> > > > **> > > > * *> > > > * This = is important content!*> > > > * *> > > > * *> > > > * *> > > > * *> > > > * >= URI=3D**"http://www.remote-server.com/file.doc">*> > > > * . . .*> > > > *= *> > > > * *> > > > * . . .*> = > > > * *> > > > * *> > = > > * . . .*> > > > * *> > > > * *> > > > * . . . *> > > > * *> > = > > * This is also very important > > content! *> >= > > * *> > > > * *> > > > **> > > > * *> = > > > *FOR ME, the detached and enveloping signature are REALLY clear, but = i > > have doubt about the enveloped signature .... the book said*> > > > *= *> > > > *"The Signature Element is enveloped by the element. = This > > particular association gives the XML Signature the enveloped prope= rty"*> > > > * *> > > > * *> > > > > > So, that is my point, maybe i'm wron= g but for me the > URI=3D*"#ImportantElement"> is a detached s= ignature or not???*> > Based on the example above, you're right and the boo= k is wrong. If in > the example above, the ImportantElement ID was an attri= bute of the > Content element then it would be enveloped. It might be nice = to send the > author a comment about that.> > > > > My final question is, i= f a really want to sign the > > element using an envelop= ed signature. Do i really need to put the > > signature as child of the element or not?? does the > > location of the signature hav= e a significant impact? > > Yes, otherwise it is not an enveloped signature= .> > > or when the > > signature is enveloped it is allways located as the = "last child" of the > > document element inside an XML document..> > It doe= sn't have to be the last child, it could be the first, the second, > or any= descendant element.> > --Sean _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/= --_23f18ec9-6a3c-4edd-b7c7-864ca874e92d_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
thank you Sea= n for you time, i was almost getting crazy because all the theory was = collapsing in my mind ahahah because of the example of the book...
 
I'm using the= xmlsec java classes to sign documents ... i have to develop classes that s= upport different kind of signatures...
 
my point is .= .. let's suppose that i get the following XML document as input
 
<doc> 
   <element id=3D"123">
        </signature>=
   </element>
</doc><= /FONT> 
 
so if i have to create an env= eloped signature for the element "element"
 
the result should be the following rigth?
 
<doc> 
   <element id=3D"123">
        <signature= >
         &n= bsp;  .....
         &n= bsp;  <reference URI=3D"#123">
        </signature>=
   </element>
</doc><= /FONT> 

Using the java API (javax.xml.crypto.dsig) i will have to construct the= output xml document showed above with the signature ??? let say using = ;a DocumentBuilderFactory instance and the createElement method &= nbsp;  or there is a transparent way for the programmer to put the sig= nature element inside the element "element"?? just using the Reference, Sig= nedInfo and the rest of the traditional classes...?
 
Is my question a common application of digital signature ??? or am i comple= tely lost ???.... i am and undergraduate student working for his bachelor a= nd this is an investigation thesis so i'm laying the rules for secure stand= ar communications ..... =3D( 

Thanks Again
 
Francisco

> Date: Tue, 8 Jan 2008 14:30:00 -0500
> From: Se= an.Mullan@Sun.COM
> Subject: Re: doubt with enveloped signature conce= pt
> To: security-dev@xml.apache.org
>
> Francisco Sepul= veda wrote:
> > Hello, I'm having problems with respect to what i = understand about the
> > concept of an "enveloped signature"
&= gt; >
> > The W3C define the signature as /"The signature is o= ver the XML content
> > that contains the signature as an element= . The content provides the root
> > XML document element. Obvious= ly, enveloped signatures must take care not
> > to include their = own value in the calculation of the |SignatureValue|"/
> >
>= ; > I have seen that the following xml document has a broad acceptation = as a
> > typical use of digital signature .... the classic envelo= ped signature of
> > the whole document
> >
> >= ; <document>
> > <element>
> > </element&g= t;
> > <signature>
> > <SignedInfo>
> &= gt; ...
> > <Reference URI=3D"">
> > <Transforms= >
> > <Transform
> > Algorithm=3Dhttp://www.w3.org= /2000/09/xmldsig#enveloped-signature/>
> > </Transforms><= BR>> > <DigestMethod .../>
> > <DigestValue> ...= . </DigestValue>
> > </Reference>
> > </Si= gnedInfo>
> > ...
> > </signature>
> > = </document>
> >
> > In the above example, there is= clear for me that the signature is child
> > of the xml content = being signed.
> >
> > But i read in a book from McGrawHi= ll an it shows this example of a
> > signature that is enveloped,= enveloping and detached...
> >
> > * *
> > > > *<Contract1>*
> >
> > * <ImportantCo= ntent Id=3D"ImportantElement">*
> >
> > * This is imp= ortant content!*
> >
> > * </ImportantContent>*> >
> > * *
> >
> > * <Signature Id= =3D"ThreeTypes">*
> >
> > * <SignedInfo>*
&g= t; >
> > * <Reference
> > URI=3D**"http://www.rem= ote-server.com/file.doc">*
> >
> > * . . .*
> &= gt;
> > * </Reference>*
> >
> > * <Re= ference URI=3D**"#contract2">*
> >
> > * . . .*
&g= t; >
> > * </Reference>*
> >
> > * &l= t;Reference URI=3D**"#ImportantElement">*
> >
> > * .= . .*
> >
> > * </Reference>*
> >
>= ; > * </SignedInfo>*
> >
> > * <SignatureVal= ue> . . . </SignatureValue>*
> >
> > * <Obje= ct Id=3D"contract2">*
> >
> > * <Contract2> Thi= s is also very important
> > content! </Contract2>*
>= >
> > * </Object>*
> >
> > * </Si= gnature>*
> >
> > *</Contract1>*
> > <= BR>> > * *
> >
> > *FOR ME, the detached and envel= oping signature are REALLY clear, but i
> > have doubt about the = enveloped signature .... the book said*
> >
> > * *
&= gt; >
> > *"The Signature Element is enveloped by the <Cont= ract1> element. This
> > particular association gives the XML = Signature the enveloped property"*
> >
> > * *
> &= gt;
> > * *
> >
> >
> > So, that is = my point, maybe i'm wrong but for me the <Reference
> > URI=3D= *"#ImportantElement"> is a detached signature or not???*
>
>= ; Based on the example above, you're right and the book is wrong. If in > the example above, the ImportantElement ID was an attribute of the > Content element then it would be enveloped. It might be nice to send= the
> author a comment about that.
>
> >
> &= gt; My final question is, if a really want to sign the <ImportantContent= >
> > element using an enveloped signature. Do i really need t= o put the
> > signature as child of the <ImportantContent> = element or not?? does the
> > location of the signature have a si= gnificant impact?
>
> Yes, otherwise it is not an enveloped s= ignature.
>
> > or when the
> > signature is enve= loped it is allways located as the "last child" of the
> > docume= nt element inside an XML document..
>
> It doesn't have to be = the last child, it could be the first, the second,
> or any descenda= nt element.
>
> --Sean


Express yourself ins= tantly with MSN Messenger! MSN Messenger = --_23f18ec9-6a3c-4edd-b7c7-864ca874e92d_--