I would like to know if it’s possible to validate signatures referencing documents already stored in Tamino. I know it’s possible to reference external documents using HTTP but I would like to reference another Tamino document (using the ino:docname for example) or customize the way security extension resolves the external references.
My problem is this one :
I receive an XML document with pure data and an XML signature document signing the first one. Both documents are transfered within a multipart mime envelope. So I want to store the documents in Tamino and check for signature validity. Any suggestion ?
I have some questions, when is the first document signed, before or after it has been stored in Tamino? If it has been signed before, how does the signature reference it (if it is not an embedding or an embedded signature) and which kind of signature is used, I assume detached signature? How are the documents stored in Tamino, within the multipart mime envelope or do you extract the document and the signature before storing?
Yes the document is signed before to be stored (by the author). The multipart mime envelope carries the XML document and its signature in two mime parts. So yes it’s a detached signature. The mime envelope parts are extracted by a servlet and the two XML documents are stored in Tamino.
I just found I can design the application using an enveloped signature. So don’t worry anymore about this problem.