OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Proposed errata for XML Signature references


The following explicitly diffs the original recommendation against  
the second edition:

http://www.w3.org/2007/10/htmldiff?doc1=http%3A%2F%2Fwww.w3.org%2FTR% 
2F2002%2FREC-xmldsig-core-20020212%2F&doc2=http%3A%2F%2Fwww.w3.org% 
2FTR%2F2008%2FREC-xmldsig-core-20080610%2F

(pink/green change, where pink is deleted, green is new, yellow new)



regards, Frederick

Frederick Hirsch
Nokia



On Aug 26, 2008, at 3:36 PM, Frederick Hirsch wrote:

> I propose we reference XML Signature, Second Edition [1] in new  
> specifications produced by the SSTC, including those that have not  
> yet become OASIS Standard. I also propose  corresponding errata  
> items for SAML 2.0, below.
>
> The Second Edition of XML Signature is not a new version of XML  
> Signature and does not change the namespace for XML Signature, nor  
> does it introduce breaking changes.  For this reason I believe we  
> should be able to update SAML references to refer to it.
>
> This edition of XML Signature does incorporate errata, update RFC  
> references, clarify text and introduce the new Canonical XML  
> Version 1.1  algorithm [2] as a required algorithm. Since uses of  
> XML Signature may specify the algorithms used, SAML instances may  
> continue to specify Canonical XML 1.0, though it would be  
> preferable if Canonical XML 1.1 support were introduced and used. I  
> believe the benefits of referencing the Second Edition warrant  
> approving an errata item.
>
> Canonical XML 1.1 addresses issues related to inheritance of  
> attributes in the XML namespace when canonicalizing document  
> subsets, including the requirement not to inherit xml:id, and to  
> treat xml:base URI path processing properly.
>
> A summary of changes in XML Signature Second Edition is available  
> at [3].
>
> Note that changing the reference in the SAML Conformance document  
> does not change the algorithms explicitly called out in that  
> document, though we may wish to discuss requiring Canonical XML  
> 1.1. I have not included that in this proposal.
>
> The Second Edition was not a joint IETF-W3C effort even though the  
> first edition was. There is work underway to produce a new RFC  
> corresponding to the Second Edition, but I propose SAML 2.0 only  
> reference the Second Edition Recommendation for the sake of clarify  
> of having a single reference.  In addition the Recommendation is  
> listed under normative references while the RFC is listed under  
> informative references. The RFC is also referenced only in SAML  
> core while the Rec is referenced throughout the SAML 2.0  
> specification set (as noted in the proposed errata below).
>
> Thus I specifically propose the following two errata to be added to  
> the errata document (once approved), as well as two new normative  
> references  [4]:
>
> (1) Add additional normative references to Section 1.1 of the  
> Errata document:
>
> [SAMLAuthnCxt] J. Kemp et al. Authentication Context for the OASIS  
> Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March  
> 2005. Document ID saml-authn-context-2.0-os. See http://www.oasis- 
> open.org/committees/security/.
>
> [SAMLSecure] F. Hirsch et al. Security and Privacy Considerations  
> for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS  
> SSTC, March 2005. Document  ID saml-sec-consider-2.0-os. See http:// 
> www.oasis-open.org/committees/security/.
>
>
> ----
> E64: Update XML Signature references to XML Signature, Second Edition
>
> Change [SAMLCore] Section 9.1 at lines 3415-3416 , [SAMLProf]  
> Section 9 at lines 2205-2206, [SAMLAuthnCxt] Section 4 at lines  
> 3926-3928, [SAMLConf] Section 6 at lines 410-412, [SAMLSecure] at  
> lines 1078-1079   to replace a reference to XML Signature with the  
> updated XML Signature, Second Edition reference, as follows:
>
> Original text:
> D. Eastlake et al. XML-Signature Syntax and Processing. World Wide Web
> Consortium, February 2002.
>
> New text:
> D. Eastlake et al. XML Signature Syntax and Processing, Second  
> Edition. World Wide Web
> Consortium,  June 2008.
>
> ----
> E65: Remove XML Signature RFC reference:
>
> Change [SAMLCore] Section 9.2 at lines 3439-3440 to remove the  
> following reference:
>
> [RFC 3075]  D. Eastlake, J. Reagle, D. Solo. XML-Signature Syntax  
> and Processing. IETF
> RFC 3075, March 2001. See http://www.ietf.org/rfc/rfc3075.txt.
>
> ---
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
> [1] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/
>
> [2] http://www.w3.org/TR/xml-c14n11/
>
> [3] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/explain
>
> [4] http://docs.oasis-open.org/security/saml/v2.0/sstc-saml- 
> approved-errata-2.0.pdf
>
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]