[xmlsec] "soft error" when calling xmlSecDSigValidate

Aleksey Sanin aleksey at aleksey.com
Mon Feb 10 15:29:39 PST 2003


I just wonder, why you don;t want to put signature in the original
document? You system may easily insert the Signature at the
beggining of original document and later easily remove it so
nobody else will see it.
IMHO, the hash based approach removes all the XML DSig "beef".
There is no reason why you could not just send calculated hash
in any binary format.

Aleksey


Meg Morgan wrote:

>What we decided to do is to create a hash of the data we REALLY want
>signed, and put the hash into a nice little xml tree, and sign THAT.  That
>way we can pluck out the signature from the document and call it "detached"
>if we want to.
>
>To check, we recalculate the hash of the original data, compare it with
>what is in the signed document blob, then use the xmlsec functions to
>check the signature against the public key.  In this way we can avoid
>using URI references while still masking the content of our original
>data.
>
>Thanks again,
>meg
>
>Aleksey Sanin wrote:
>  
>
>>Actually, you have one more option: use a special protocol name
>>(like "thisismyprotocol://....") and write custom protocol handlers
>>that will read document from memory. Thought, it might be not such
>>a good idea because of interop issues in the future.
>>
>>Aleksey
>>    
>>
>
>  
>





More information about the xmlsec mailing list