[xmlsec] Signature in different namespace

G. Ken Holman gkholman at CraneSoftwrights.com
Mon Oct 15 15:40:37 PDT 2012 

At 2012-10-16 00:23 +0200, Simon Josefsson wrote:
>"G. Ken Holman" <gkholman at CraneSoftwrights.com> writes:
>
> >        <xsd:element ref="ds:Signature" minOccurs="0" maxOccurs="1">
>...
> > I hope this helps.
>
>Thank you -- 'ref="ds:Signature"' is used in SAML Assertion as well so
>it seems like a good approach.

Not "good", but correct.  The declaration you showed creates an 
element named "Signature" in the incorrect namespace, not in the 
digital signature namespace.  I believe that example you cite is 
absolutely wrong.

>More insight into this would be appreciated.  Is there any way the RFC
>6030 approach could work?  I'm concerned that there is an example in the
>RFC that people may have modelled their implementations after.  My
>current approach to remove the ds: prefix on the Signature element leads
>to valid XML so that workaround would works even if isn't kosher.

It may be well-formed XML but it isn't valid according to the XMLDsig 
specification.  That specification states that Signature must be in 
the digital signature namespace (the prefix "ds:" is irrelevant; 
"simon:Signature" is schema valid if 
xmlns:simon="http://www.w3.org/2000/09/xmldsig#").  The specification is clear:

  http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-Signature

... and the spec shows it being declared both with a prefix (in XSD) 
and without a prefix (in DTD).  The prefix is irrelevant.  The 
namespace URI is crucial.

If people don't use XML properly, I can't see why they would expect 
it to work.  This is basic namespace-valid XML stuff.

I have a free video lecture on namespaces (in general, not specific 
to digital signatures) in my XSLT class at:

   http://www.CraneSoftwrights.com/links/udemy-ptux-online.htm
   (54:09 mark of Module 1 Lecture 1 - The XML Family of Recommendations)

>Having some pointer to text in the XMLDsig standard explaining that this
>is improper would help.

Why would a standard describe what is incorrect?  How would it know 
what to put in the list if incorrect things before the standard is 
out in the public being incorrectly used?  Wouldn't having such 
examples lead to confusion if users don't read the document properly 
and start quoting the incorrect examples?  Users should just 
implement it correctly.  It looks like some are already reading not 
reading the document properly.

Please forgive my frustration.  This isn't a fault of XML, it is a 
fault of the people writing incorrect examples.

I hope this has helped.

. . . . . . . . Ken


--
Contact us for world-wide XML consulting and instructor-led training
Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/z/
G. Ken Holman                   mailto:gkholman at CraneSoftwrights.com
Google+ profile: https://plus.google.com/116832879756988317389/about
Legal business disclaimers:    http://www.CraneSoftwrights.com/legal

More information about the xmlsec mailing list