RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded

[Trevor Perrin <trevp@trevp.net>]

At 05:50 PM 3/29/2003 +0000, Nick Pope wrote:
>Content-Transfer-Encoding: 7bit
>
>Trevor,
>
>Canonicalisation does not deal with the application specific information
>between the tags.  Differences such as line lengths and white spaces which
>in HTML don't effect the output can so easily creep in.

Huh.  Well, if the canonicalization transform isn't really canonicalizing, 
then I'd say the transform needs to be fixed, or a better one defined or 
something.


>I feel that where there exists two alernatives, I would much rather go for
>the one which both parties work from the same data rather than depend two
>implementations of complicated transforms such as XSLT working in exactly
>the same way for all situations.

If they *don't* work in the exact same way, modulo canonicalization, then 
there's room for the requestor to say, "oh, I didn't mean to sign *THAT*, 
my XSLT processor produced something slightly different".

That's one reason I think signing the transformed data is better than 
signing the transforms themselves.  In addition to the fact that not all 
transforms will even *BE* signable, so this method has limited 
applicability.  Also, XML-DSIG only allows you to specify transforms that 
are applied to the to-be-signed data before the signing.  Now you're 
proposing a different thing, transforms that are applied to the was-signed 
data after signing.  So we'd have to create a new syntax to support these 
post-signature transforms.

In any case, this whole discussion has more to do with the format of an 
XML-DSIG, then with a DSS protocol.  I hope Gregor will let us know what he 
thinks we should do here, and we can see if/how it would impact the protocol.

Trevor


>Nick
>
> > -----Original Message-----
> > From: Trevor Perrin [mailto:trevp@trevp.net]
> > Sent: 28 March 2003 21:55
> > To: Nick Pope; karel.wouters@esat.kuleuven.ac.be;
> > dss@lists.oasis-open.org
> > Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
> >
> >
> > At 12:07 PM 3/28/2003 +0000, Nick Pope wrote:
> > >Content-Transfer-Encoding: 7bit
> > >
> > >Trevor,
> > >
> > >My concern with the signing of the data after an XSLT transform has been
> > >applied is that the chances of two independent implementations of XSLT to
> > >get exactly the same byte-by-byte value for all possible styles is fairly
> > >low, event though they will look the same.
> >
> > Is this taken care of by the last paragraph in XML-DSIG 6.6.5
> > (http://www.w3.org/TR/xmldsig-core/)? -
> >
> > "The output of this transform is an octet stream. The processing
> > rules for
> > the XSL style sheet or transform element are stated in the XSLT
> > specification [XSLT]. We RECOMMEND that XSLT transform authors use an
> > output method of xml for XML and HTML. As XSLT implementations do not
> > produce consistent serializations of their output, we further RECOMMEND
> > inserting a transform after the XSLT transform to canonicalize
> > the output.
> > These steps will help to ensure interoperability of the resulting
> > signatures among applications that support the XSLT transform.
> > Note that if
> > the output is actually HTML, then the result of these steps is logically
> > equivalent [XHTML]."
> >
> >
> > Trevor
> >
> >
> >