[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [ebxml-msg] Whitespace problem with XMLDSIG usage in ebMSS
I agree with Rich and think his reasoning can be extended to the underlying problem as well. Because the XSLT transform described doesn't come for free, couldn't we recommend the xml:space="preserve" attribute be set for the entire soap:Envelope or equivalent handling? This is probably a general disagreement with the "unreasonable to expect such an MSH to preserve irrelevant whitespace" point. If we can require an MSH to preserve whitespace in the SignedInfo element, why not in the referenced signed material? I certainly agree with Sanjay it is not intuitively obvious why the existing canonicalization methods don't remove trivial whitespace. That's balanced against our need to support receivers not using verifying parsers (also the "why" canonicalization works as it does) and the high cost of the transformation described. Therefore, I'm recommending not adding this additional transform and instead requiring implementations to avoid the underlying problem. We'll need to discuss what "avoid the underlying problem" truly means because I'm not sure xml:space has been consistently implemented in the XML parser marketplace. It also only requires the application layer learns of all whitespace in the affected elements, not inclusion of that whitespace in a related document created by the application layer. In this context, the "application layer" is anything above the XML parser, including the SOAP processor, signature validator and MSH handler. By the way, the XSLT block (if we do decide to use it) seems to contain a typo. Shouldn't <xsl:apply-templates select='@*'/> <xsl:apply-templates/> instead be <xsl:apply-templates select='@*'> </xsl:apply-templates> or <xsl:apply-templates select='@*'/> I'm probably misremembering something that's not intuitive about XSLT... thanx, doug ----- Original Message ----- From: "Rich Salz" <rsalz@zolera.com> To: "David Fischer" <david@drummondgroup.com> Cc: "Cherian, Sanjay" <Sanjay_Cherian@stercomm.com>; <ebxml-msg@lists.oasis-open.org>; "Damodaran, Suresh" <Suresh_Damodaran@stercomm.com> Sent: Wednesday, 19 December 2001 12:14 Subject: Re: [ebxml-msg] Whitespace problem with XMLDSIG usage in ebMSS Impressive analysis Sanjay. I disagree with one part: >The solution to this latter problem is to require MSHs to apply the XSL >transform to ds:SignedInfo elements BEFORE signing and BEFORE verifying > (that is, before the XMLDSIG implementation gets the envelope). This is often not possible. In many DSIG toolkits, the ds:SignedInfo is generated by the signing code, and the application has no capability to generate or modify it. I think the only practical thing is to include a warning that intermediate MSH's must treat at least ds:Signature elements as if the xml:space="preserve" attribute is set. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC