You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Berin Lautenbach <be...@wingsofhermes.org> on 2004/12/03 10:12:28 UTC

Re: Namespace moves

Nick,

For an enveloping signature - moving the namespace to the root should be 
fine, as the namespace is extant over the entire sub-tree that is being 
signed.  However if you have an enveloped signature, you might run into 
problems, depending on the type of canonicalisation you use.  If it is 
standard C14n, then the namespace node may apear in the data being 
signed and that would cause a reference to break.

Caveat - I haven't thought too hard - late night last night, so feel 
free to tell me I'm wrong :>.

Cheers,
	Berin

Nick Sydenham wrote:

> I'm looking at an existing problem with some of our code and couldn't 
> find a definitive answer in the W3C Recommendation. Basically, it's not 
> clear from the spec how moving a namespace definition affects the 
> validity of a signature. For instance, if I have:
> 
> <SignedInfo xmls:gt="http://www.wibble.com/CM/envelope">
> ...
> <Transform Algorithm="...">
>     <XPath>(count(ancestor-or-self::node()/gt:Message/gt:Body)=...
> </Transform>
> </SignedInfo>
> 
> If I then return an enveloping signature with the gt namespace moved to 
> the root element the XML document is still valid as the namespace is 
> still declared on an ancestor node. However, from an XML Signature point 
> of view I have changed the SignedInfo element which in theory breaks the 
> signature. Is this a correct analysis or should moving the namespace 
> definition not affect the signature validity?
> 
> TIA,
> 
> Nick
> 
>