RE: [dss] Comments by Konrad Lanz

["Nick Pope" <pope@secstan.com>]

Juan Carlos,

Having discussed this with you and thought a bit about this further, I have
the following areas that I think require consideration regarding use of
exclusive canonicalization in the core 3.3 item 1 a) & c):

a) Is is necessary to always carry out exclusive canonicalization both
before the server applied transform (as in 1a) and afer the transform (as in
1c)?

b) If the transforms carried out by the server (as per first part of 1c)
already provide the necessary canonicalization is there a need to carry out
further canonicalization (as in 2nd part of 1c)?

c) If the transform carried out by the server selects a subtree of the
overall document is it not necessary to signal the fact that exclusive
canonicalization is applied as otherwise the recipient would apply normal
canonicalization (the default) and so get a different result?

Nick



> -----Original Message-----
> From: Nick Pope [mailto:pope@secstan.com]
> Sent: 04 April 2005 11:17
> To: Juan Carlos Cruellas; DSS TC List
> Subject: RE: [dss] Comments by Konrad Lanz
>
>
> Juan Carlos and all,
>
> Regarding Konrad's first comment on on Canonicalization, I suggest that we
> do not be over presecriptive.  Rather than mandating exclusive
> canonicalization, I suggest that we make this a recommendation but allow a
> conformant server to apply canonicalization as it sees fit.
>
> If the transforms already being applied by the server already include any
> necessary canonicalization it is only adding unnecessary overhead, which
> could significantly impact on performance to apply an additional exclusive
> canonicalization.  I do not see this in any way effecting
> interopability as
> the verifier would apply the are identified in the signature.
>
> Nick
>
> > -----Original Message-----
> > From: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu]
> > Sent: 04 April 2005 10:22
> > To: DSS TC List
> > Subject: [dss] Comments by Konrad Lanz
> >
> >
> > Dear all,
> >
> > After looking at Konrad's comments
> > It seems to me that he is right in his comments.
> >
> > The first comment deals with canonicalization management as
> > it is expressed in the CD. As Konrad mentions, if the
> > <XMLData> is  canonicalized using the regular Canonicalization
> > algorithm, it will inherit namespaces defined in any of the ancestors
> > including the namespace of the dss, bringing undesired ambiguities...
> > I would say that his suggestion of going for exclusive canonicalization
> > seems to be correct: in fact, this exclusive canonicalization has been
> > defined for dealing with data that may be signed and in turn may be
> > enveloped.
> >
> > Concerning the second comment, I have been looking the XML Schema
> > specification
> > and it also seems to me that he is correct. I guess that we blindly
> > applied verification
> > by tools that seem not to uncover this kind of mistakes, but the
> > XML Schema
> > spec seems to say that the presence of xs:any with process lax within a
> > choice
> > with other elements breaks this prinicple of uniqueness.
> > I guess that we would correct this mistake if we substitute the
> > elements <xs:any> by <dss:otherXX type="dss:AnyType">....because then
> > there is no
> > need to look into the attributes or the content of the element for
> > identifying that
> > it is the dss:otherXX element and not any of the others present in the
> > choice.
> >
> > Any comment?
> >
> > Regards
> >
> > Juan Carlos.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  You may a link to this group and all your
> > TCs in OASIS
> > at:
> > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your
> TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>