[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] canonicalization for XACML instances being signed
For what it's worth, I think making signed XACML assertions depend on UDDI's
schema canonicalization is a bad idea. For example, I can't recall
schema-c14n *ever* being mentioned in the WS-Security group.
> Related question: do we actually need to deal with canonicalized
> XACML schema instances? If the instances are always signed and
> signature-verified in their unparsed text/octetstring form, then
> there is no need for canonicalization.
Or rather, there's no need for C14N that's schema-aware. You can just
use the common c14n and exc-c14n mechanisms as may be appropriate.
I strongly encourage you to treat it as you describe above.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]