RE: [xml-dev] Is the XML Schema for XML Digital Signatures needed?

["G. Ken Holman" <gkholman@CraneSoftwrights.com>]

At 2018-07-27 20:03 +0000, Costello, Roger L. wrote:
> > if something claims that it's signed,
> > we should just accept that.
>
> Ah, that's an interesting point. A digsig tool might not produce a 
> correctly formatted <ds:Signature> and therefore it would be useful 
> to validate the <ds:Signature> against the digsig XML Schema.
As part of a post-mortem, yes.

How might that be useful before being checked? If the tool does not 
produce a correctly-formatted signature, the signature-checking logic 
would throw a sufficient error that you would rightly not trust the 
signature or the signed document.

In my own experience with DigSig, I've never needed to use DigSig XML 
Schema except in a post-mortem after an abend. As long as the 
signature is checked without any errors, I've never been worried 
about schema validation.

That said, I have included DigSig in the UBL schema tree. Some UBL 
users may want to validate their entire document after their tools 
have created it and before they send it. Some enter into commitments 
of schema validity before transmission.

You started off this thread with a lot of what I thought was obvious, 
DigSig schema is useful probably only in a post-mortem. It isn't even 
useful in authoring, because I'm not about to generate a DigSig by 
hand. The available tools handle generation and checking.

. . . . . . Ken


--
Contact info, blog, articles, etc. http://www.CraneSoftwrights.com/x/ |
Check our site for free XML, XSLT, XSL-FO and UBL developer resources |
Streaming hands-on XSLT/XPath 2 training class @ US$45 (5 hours free) |