[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Proposed text on C14N
I am trying to understand the summary of the C14N thread. Is this correct: Exclusive canonicalization is generally necessary when a portion of XML is to be removed from one context and put into a different XML context. The reason is that inclusive canonicalization would typically copy one set of "extra" namespace declarations from ancestor nodes in the first context and another from the second, causing the signature verification to fail. Exclusive canonicalization is not appropriate in all cases, however, since it increases the risk that not all declarations will be included explicitly in the signed XML. Examples are namespace declarations associated with non-visible prefixes, such as QNAMES in element content or attribute values, as well as xml: attribute declarations. A mechanism to explicitly add declarations would require knowledge not typically available to the security code. Thus inclusive canonicalization is safer when used in an environment where removal of XML content is not expected. To summarize, inclusive canonicalization may include too much in the XML to be signed and exclusive canonicalization may include too little. Thus application decision is required as to which mechanism to use, given processing expectations and knowledge of schema (e.g. are QNAMEs used). (Is it possible to extend exclusive canonicalization to recognize QNAMES and pull in the declarations as needed?) regards, Frederick Frederick Hirsch Nokia Mobile Phones
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]