[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: use of exclusive canonicalization [action 05-09-19-03]
Dear Stefan and Nick, please find the relevant discussion on how to use exclusive canonicalization in dss below. I think it has material for a short section in the annex. Stefan please check if the relevant sections: "<ds:Transforms> element of <TransformedData> or <DocumentHash>", "3.3.1 step 1 b. and c", ...; need some cross references and syncing. Use of Exclusive Canonicalization: Exclusive Canonicalization of dereferenced and transformed data can be achieved by appending exclusive canonicalization as the last transform in the <ds:Transforms> element of <TransformedData> or <DocumentHash>. In the case of <Document> being used this can be done by adding exclusive canonicalization as the last transform in the <ds:Transforms> of a <SignedReference> pointing to that <Document>. By doing this the resulting data produced by the chain of transforms will always be octet stream data which will be hashed without further processing on a <ds:Reference> level by the server as indicated by basic processing section 3.3.1 step 1 b. and c. Another possibility to apply exclusive canonicalization on <ds:Reference> level is the freedom given to servers to apply additional transforms to increase robustness. This however implies that only trustworthy transformations are appended by a server. As in section 3.3.1 step 1 b an Implementation can choose to use exclusive canonicalization: "... Transforms are applied as a server implementation MAY choose to increase robustness of the Signatures created. These Transforms may reflect idiosyncrasies of different parsers or solve encoding issues and so on. ..." In such a case that the exclusive canonicalization is to be included in the <ds:Transforms> as well (cf. section 3.3.1 step 1.d.v.) The standards default is however in line with [XMLSig] as indicated in the Note in section 3.3.1 step 1 b. However after the server formed a <ds:SignedInfo> (section 3.3.1 step 3.) this information to be signed also needs to be canonicalized and digested, here [XMLSig] offers the necessary element <ds:CanonicalizationMethod> directly and can be used to specify exclusive canonicalization. best regards Konrad
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]