Dear all,

In a <dss:VerifyRequest> we need some disambiguation in the case of a request carrying multiple <dss:DocumentHash>, <dss:TransformedData> or a combination of those having the same RefURI.

Although I have to admit that this is a corner case, it is not so unlikely as Signatures created with SignedReferences allow to create multiple <ds:References> from the same input document and hence they may having the same URI.

Section 4.3 point 2. variant b. and also variant c. now ask to check the matching <ds:Transforms> or the <ds:Transforms> and the <ds:DigestMethod> to the <ds:References> inside the Signatures <ds:SignedInfo>.

However as the <ds:Transforms> and the <ds:DigestMethod> can be arbitrarily complex like for example an XSLT <ds:Transform> bearing the <xsl:sylesheet> directly, this can be very hard and expensive to do. It might even out the usefulness of <dss:DocumentHash>, <dss:TransformedData> for such cases.

The comparison could amount to context free extract of the <ds:Transforms> and <ds:DigestMethod> elements and the need to canonicalize them if a true matching as required in section 4.3 point 2 should be done.

A straight forward solution to get rid of this problems would be to introduce an attribute called <xs:attribute name="WhichReference" type="xs:integer" use="optional"/> that identifies a reference and is required in the case of a supplied <dss:TransformedData> or <dss:DocumentHash> and would allow to ignore the given <ds:Transforms> or the <ds:Transforms> and the <ds:DigestMethod> respectively.

thoughts ?

regards Konard