[xmlsec] Re: Detached Signatures (same-document)

Aleksey Sanin aleksey at aleksey.com
Sun Oct 10 21:20:54 PDT 2004 

Please, read the FAQ for explanations why it is done the way it is done.

Aleksey

Larry Bugbee wrote:
> Aleksey,
> 
> A DTD might suffice as a temporary workaround, but I don't believe a  
> user of xmlsec or pyxmlsec should have to supply a DTD to fix things.   
> Especially as Andrew points out, when such is not the case with other  
> implementations.  Are we not in need of a change?
> 
> To xmlsec or libxml2?  I can see a lot of points and counterpoints, but  
> my first impression is that xmlsec should accept 'Id' attributes if the  
> value matches the signature's URI fragment reference.  Is a change to  
> libxml the right way to do that?  I dunno.  Like I said,  
> point/counterpoint.  ...but something's not right.
> 
> Thots?
> 
> ...and I was so close.  ;-)
> 
> Larry
> 
> See also:
>   http://www.aleksey.com/pipermail/xmlsec/2003/001154.html
>    http://lists.labs.libre-entreprise.org/pipermail/pyxmlsec-devel/2004- 
> October/000023.html (and #24)
> 
> 
> 
> On Oct 10, 2004, at 7:20 PM, Andrew Fan wrote:
> 
>> Larry Bugbee wrote:
>>
>>> Andrew,
>>>
>>> I read your email thread from a couple of months back having to do  
>>> with detached signatures.   
>>> (http://www.aleksey.com/pipermail/xmlsec/2003/001154.html)  I'm  
>>> having the same problem and am not happy with the 'suggested  
>>> solution'.  Before I go any further I want to check and see if you  
>>> discovered anything new.
>>>
>>> Rereading the W3C specification, section 4.3.3 and especially  
>>> 4.3.3.3, I see the word 'MUST' several times and no hint at needing  
>>> to provide a DTD.  ...although FAQ section 3.2  
>>> (http://www.aleksey.com/xmlsec/faq.html) talks about a DTD to cover 
>>> a  *warning* for empty node sets.  But, if they are not empty, a DTD  
>>> should not be necessary.  I believe there is an implementation error  
>>> somewhere between xmlsec and libxml.
>>>
>> Yes, there is some implementation error or unintent of xmlsec or  
>> libxml. It is sure that ID is an DTD defined attributes, but other 
>> xml  security toolkits( such as java, apache ) treats it as ID 
>> attribute,  while libxml just treats it as normal attribute during the 
>> DOM  building. Because core xmlsec take no responsibility to build a 
>> the  DOM, so it have no ideas to find the ID refered node, I think.
>>
>> I implemented according to Alsksey's suggections in his FAQs.
>>
>>> Am I missing something?
>>>
>>> Thanks,
>>>
>>> Larry
>>>
>>
>>
>

More information about the xmlsec mailing list