There's a third, rather bizarre choice: you can specify the namespace in the BBB element twice, once with a prefix and once without. The latter becomes the default namespace.
<aa:BBB xmlns:aa="http://x.y.org/BBB"; xmlns="http://x.y.org/BBB"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://x.y.org/BBB";> <YYY><ZZZ>Something</ZZZ></YYY> </aa:BBB> Hard to understand, huh? But it serves a purpose: it should now be clear that either of your approaches is better than this! Neither is inherently superior to the other, however. Consistently using namespace prefixes makes it very clear what namespace applies, but makes for verbose documents. Using a default namespace makes for concise documents that are easy to read quickly - until you need to figure out what elements belong in what namespace. So either of your approaches is correct. You get to choose which is better based on your own criteria. But please don't do it the way I describe above, unless your goal is to make readers scratch their heads and question your intelligence and/or sanity! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernd Becker Sent: Tuesday, July 13, 2004 12:23 PM To: [EMAIL PROTECTED] Subject: [xmlsec] namespaces in enveloping signature Hi, I am using xmlsec in a server to sign a message in the enveloping variant, i.e. the message to be signed is embedded in the Object element of the Signature. It looks something like this: <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";> </CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod > <Reference URI="#MyObj"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>...</DigestValue> </Reference> </SignedInfo> <SignatureValue>...</SignatureValue> <Object Id="MyObj"> <aa:BBB xmlns:aa="http://x.y.org/BBB"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://x.y.org/BBB";> <YYY><ZZZ>Something</ZZZ></YYY> </aa:BBB> </Object> </Signature> The receiving client is having a problem parsing or validating this, because the elements YYY and ZZZ are not qualified with the namespace prefix aa, and thus it is assuming the default namespace (xmldsig) defined in the Signature element. One solution would be to define namespace prefix in the Signature and use that, avoiding the definition of the default namespace. But right now it is not possible to set it in xmlsec and there seems to be agreement not to support it. The other two solutions are probably: 1. explicitely qualify all elements within BBB with the prefix aa <aa:BBB xmlns:aa="http://x.y.org/BBB"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://x.y.org/BBB";> <aa:YYY><aa:ZZZ>Something</aa:ZZZ></aa:YYY> </aa:BBB> 2. not to use the prefix aa at all but instead define a new default namespace <BBB xmlns="http://x.y.org/BBB"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://x.y.org/BBB";> <YYY><ZZZ>Something</ZZZ></YYY> <BBB> What is the better or more correct way to go ? Thanks in advance for any help, Bernd _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
