[KEYPROV] Bug in PSKC XML schema wrt XMLDsig?

Simon Josefsson <simon@josefsson.org> Tue, 16 October 2012 08:07 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: keyprov@ietfa.amsl.com
Delivered-To: keyprov@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AA24821F8862 for <keyprov@ietfa.amsl.com>; Tue, 16 Oct 2012 01:07:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.444
X-Spam-Status: No, score=-99.444 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1gtu2TJ2PokP for <keyprov@ietfa.amsl.com>; Tue, 16 Oct 2012 01:07:31 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se []) by ietfa.amsl.com (Postfix) with ESMTP id AAD3021F8832 for <keyprov@ietf.org>; Tue, 16 Oct 2012 01:07:29 -0700 (PDT)
Received: from latte (host-95-193-1-90.mobileonline.telia.com []) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q9G87Kxr029709 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <keyprov@ietf.org>; Tue, 16 Oct 2012 10:07:22 +0200
X-Hashcash: 1:22:121016:keyprov@ietf.org::wNF4G97uLRH1uJ7+:VyH1
From: Simon Josefsson <simon@josefsson.org>
To: keyprov@ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Tue, 16 Oct 2012 10:07:14 +0200
Message-ID: <87vceaq1ql.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
Subject: [KEYPROV] Bug in PSKC XML schema wrt XMLDsig?
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2012 08:07:31 -0000


I have implemented support for XMLDsig protected PSKC and ran into an
issue with the XML Schema for PSKC.  It seems the Signature element is
in the wrong namespace, making it incompatible with the XMLDsig

There is a thread on this on the XMLSec mailing list:


Both Aleksey Sanin (author of the XMLSec library) and G. Ken Holman (XML
expert) appear to believe this is an error in the schema:


The fix appears to be simple, but before filing an RFC errata for this
I'd thought I should bring this up in case anyone wants to comment.

Section 7:



Section 11:

               <xs:element name="Signature"
                    type="ds:SignatureType" minOccurs="0"/>

               <xs:element ref="ds:Signature" minOccurs="0">