OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: use of exclusive canonicalization [action 05-09-19-03]

Dear Stefan and Nick,

please find the relevant discussion on how to use exclusive 
canonicalization in dss below. I think it has material for a short 
section in the annex. Stefan please check if the relevant sections: 
"<ds:Transforms> element of <TransformedData> or <DocumentHash>", "3.3.1 
step 1 b. and c", ...; need some cross references and syncing.

Use of Exclusive Canonicalization:

Exclusive Canonicalization of dereferenced and transformed data can be
achieved by appending exclusive canonicalization as the last transform
in the <ds:Transforms> element of <TransformedData> or <DocumentHash>.
In the case of <Document> being used this can be done by adding
exclusive canonicalization as the last transform in the <ds:Transforms>
of a <SignedReference> pointing to that <Document>.

By doing this the resulting data produced by the chain of transforms
will always be octet stream data which will be hashed without further
processing on a <ds:Reference> level by the server as indicated by basic
processing section 3.3.1 step 1 b. and c.

Another possibility to apply exclusive canonicalization on 
<ds:Reference> level is the freedom given to servers to apply additional 
transforms to increase robustness. This however implies that only 
trustworthy transformations are appended by a server.

As in section 3.3.1 step 1 b an Implementation can choose to use 
exclusive canonicalization: "... Transforms are applied as a server 
implementation MAY choose to increase robustness of the Signatures 
created. These Transforms may reflect idiosyncrasies of different 
parsers or solve encoding issues and so on.  ..."
In such a case that the exclusive canonicalization is to be included in 
the <ds:Transforms> as well (cf. section 3.3.1 step 1.d.v.)

The standards default is however in line with [XMLSig] as indicated in 
the Note in section 3.3.1 step 1 b.

However after the server formed a <ds:SignedInfo> (section 3.3.1 step
3.) this information to be signed also needs to be canonicalized and
digested, here [XMLSig] offers the necessary element
<ds:CanonicalizationMethod> directly and can be used to specify 
exclusive canonicalization.

best regards
Konrad

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]