OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [ebxml-msg] Whitespace problem with XMLDSIG usage in ebMSS

I agree with Rich and think his reasoning can be extended to the underlying
problem as well.  Because the XSLT transform described doesn't come for
free, couldn't we recommend the xml:space="preserve" attribute be set for
the entire soap:Envelope or equivalent handling?

This is probably a general disagreement with the "unreasonable to expect
such an MSH to preserve irrelevant whitespace" point.  If we can require an
MSH to preserve whitespace in the SignedInfo element, why not in the
referenced signed material?

I certainly agree with Sanjay it is not intuitively obvious why the existing
canonicalization methods don't remove trivial whitespace.  That's balanced
against our need to support receivers not using verifying parsers (also the
"why" canonicalization works as it does) and the high cost of the
transformation described.  Therefore, I'm recommending not adding this
additional transform and instead requiring implementations to avoid the
underlying problem.

We'll need to discuss what "avoid the underlying problem" truly means
because I'm not sure xml:space has been consistently implemented in the XML
parser marketplace.  It also only requires the application layer learns of
all whitespace in the affected elements, not inclusion of that whitespace in
a related document created by the application layer.  In this context, the
"application layer" is anything above the XML parser, including the SOAP
processor, signature validator and MSH handler.

By the way, the XSLT block (if we do decide to use it) seems to contain a
typo.  Shouldn't
    <xsl:apply-templates select='@*'/>
instead be
    <xsl:apply-templates select='@*'>
    <xsl:apply-templates select='@*'/>
I'm probably misremembering something that's not intuitive about XSLT...


----- Original Message -----
From: "Rich Salz" <rsalz@zolera.com>
To: "David Fischer" <david@drummondgroup.com>
Cc: "Cherian, Sanjay" <Sanjay_Cherian@stercomm.com>;
<ebxml-msg@lists.oasis-open.org>; "Damodaran, Suresh"
Sent: Wednesday, 19 December 2001 12:14
Subject: Re: [ebxml-msg] Whitespace problem with XMLDSIG usage in ebMSS

Impressive analysis Sanjay.

I disagree with one part:

>The solution to this latter problem is to require MSHs to apply the XSL
>transform to ds:SignedInfo elements BEFORE signing and BEFORE verifying
> (that is, before the XMLDSIG implementation gets the envelope).

This is often not possible.  In many DSIG toolkits, the ds:SignedInfo is
generated by the signing code, and the application has no capability to
generate or modify it.

I think the only practical thing is to include a warning that
intermediate MSH's must treat at least ds:Signature elements as if the
xml:space="preserve" attribute is set.

Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC