RE: XML Signature - Request for clarification [Virus checked]

Marcus,

your first example

   <Reference URI="#xpointer(//*[@authenticate='true'])">

is correct. The other thing *would* be the escape sequence which you need when sensing the URI as part of a GET request to some web server, i.e. when the URI would be consumed and cracked by an HTTP server. That is not the case at XML Signature: the @URI attribute here is processed by an XML Signature library, which does not expect that escaping. Doing RFC2396 escaping in a ds:Reference/@URI is wrong (and just feeding that into a concrete implementation should actually give you that answer with some nice exception :)).

Best regards,
Christian

Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany
Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066
http://www.microsoft.com/emic/

From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Marcus.Ertel@Extern.Sparkassen-Informatik.de
Sent: Montag, 6. August 2007 14:26
To: public-xmlsec-maintwg@w3.org
Cc: w3c-ietf-xmldsig@w3.org; Konrad.Lanz@iaik.tugraz.ac.at; m.ertel@gmx.com; Heiko.Dittmann@Sparkassen-Informatik.de
Subject: XML Signature - Request for clarification [Virus checked]


Ladies and Gentlemen:

Let me start with a brief introduction of the issue that makes me ask for a clarification from your side.
My name is Marcus Ertel and I am with "Sparkassen Informatik", one of the biggest IT service providers in Germany. We are currently busy introducing the new money transfer standard EBICS (Electronic Banking Internet Communication Standard; please see <http://www.ebics-zka.de/english/spec/specification_en.htm>) which relies heavily on XML and particularly XML Signature.

The various implementations of EBICS raised a discussion concerning the handling of the Reference URI in the SignedInfo element of an XML signature. The issue is, quite briefly, as follows:

The XML data of an EBICS message contain a <SignedInfo> element with a <Reference URI> that contains an XPointer:

        <Reference URI="#xpointer(//*[@authenticate='true'])">

Now there's an ongoing discussion about the handling of this URI before the calculation of the XML Signature. One opinion is as follows:
In order to obtain a valid, RFC 2396 compliant URI, parts of the Reference URI have to be escaped properly. Hence, the URI fed into the signature process is as follows:

<Reference URI="#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)">

On the other hand, there is quite the opposite opinion. Its proponents say that no escaping at all is necessary, because the URI consists of just an XPointer. And as all the candidates for escaping are parts of this XPointer, they do not infringe the requirements of RFC 2396.

Could you please kindly advise on how to process this special URI? We need this clarification because there are ISV's providing the German banking software market with these two implementations of the XML Signature standard. This in turn leads to products unable to cope with each other while all of them claim to be compliant with the XML Signature standard.

Thank you very much in advance and best regards from Munich

Marcus Ertel, Sparkassen Informatik

Sparkassen Informatik GmbH & Co.KG
Richard-Reitzner-Allee 8
85540 München / Haar

_____________________________________________________________________

Sparkassen Informatik GmbH & Co. KG, Theodor-Heuss-Allee 90, D 60486 Frankfurt a.M.
Amtsgericht Frankfurt a.M. HRA 30059; Aufsichtsratsvorsitzender: Dr. Rolf Gerlach; Persönlich haftende Gesellschafterin: Sparkassen Informatik Verwaltungsgesellschaft mbH, Sitz: Frankfurt a.M., Amtsgericht Frankfurt a.M. HRB 52289, Geschäftsführer: Fridolin Neumann (Vorsitzender), Franz-Theo Brockhoff (stv. Vorsitzender), Werner Brunner (stv. Vorsitzender), Uwe Katzenburg (stv. Vorsitzender), Willi Bär, Harald Lux;
Internet: http://www.sparkassen-informatik.de, E-Mail: kontakt@sparkassen-informatik.de