Proposed errata for XML Signature references

[Frederick Hirsch <frederick.hirsch@nokia.com>]

I propose we reference XML Signature, Second Edition [1] in new  
specifications produced by the SSTC, including those that have not  
yet become OASIS Standard. I also propose  corresponding errata items  
for SAML 2.0, below.

The Second Edition of XML Signature is not a new version of XML  
Signature and does not change the namespace for XML Signature, nor  
does it introduce breaking changes.  For this reason I believe we  
should be able to update SAML references to refer to it.

This edition of XML Signature does incorporate errata, update RFC  
references, clarify text and introduce the new Canonical XML Version  
1.1  algorithm [2] as a required algorithm. Since uses of XML  
Signature may specify the algorithms used, SAML instances may  
continue to specify Canonical XML 1.0, though it would be preferable  
if Canonical XML 1.1 support were introduced and used. I believe the  
benefits of referencing the Second Edition warrant approving an  
errata item.

Canonical XML 1.1 addresses issues related to inheritance of  
attributes in the XML namespace when canonicalizing document subsets,  
including the requirement not to inherit xml:id, and to treat  
xml:base URI path processing properly.

A summary of changes in XML Signature Second Edition is available at  
[3].

Note that changing the reference in the SAML Conformance document  
does not change the algorithms explicitly called out in that  
document, though we may wish to discuss requiring Canonical XML 1.1.  
I have not included that in this proposal.

The Second Edition was not a joint IETF-W3C effort even though the  
first edition was. There is work underway to produce a new RFC  
corresponding to the Second Edition, but I propose SAML 2.0 only  
reference the Second Edition Recommendation for the sake of clarify  
of having a single reference.  In addition the Recommendation is  
listed under normative references while the RFC is listed under  
informative references. The RFC is also referenced only in SAML core  
while the Rec is referenced throughout the SAML 2.0 specification set  
(as noted in the proposed errata below).

Thus I specifically propose the following two errata to be added to  
the errata document (once approved), as well as two new normative  
references  [4]:

(1) Add additional normative references to Section 1.1 of the Errata  
document:

[SAMLAuthnCxt] J. Kemp et al. Authentication Context for the OASIS  
Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, March  
2005. Document ID saml-authn-context-2.0-os. See http://www.oasis- 
open.org/committees/security/.

[SAMLSecure] F. Hirsch et al. Security and Privacy Considerations for  
the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC,  
March 2005. Document  ID saml-sec-consider-2.0-os. See http:// 
www.oasis-open.org/committees/security/.


----
E64: Update XML Signature references to XML Signature, Second Edition

Change [SAMLCore] Section 9.1 at lines 3415-3416 , [SAMLProf] Section  
9 at lines 2205-2206, [SAMLAuthnCxt] Section 4 at lines 3926-3928,  
[SAMLConf] Section 6 at lines 410-412, [SAMLSecure] at lines  
1078-1079   to replace a reference to XML Signature with the updated  
XML Signature, Second Edition reference, as follows:

Original text:
D. Eastlake et al. XML-Signature Syntax and Processing. World Wide Web
Consortium, February 2002.

New text:
D. Eastlake et al. XML Signature Syntax and Processing, Second  
Edition. World Wide Web
Consortium,  June 2008.

----
E65: Remove XML Signature RFC reference:

Change [SAMLCore] Section 9.2 at lines 3439-3440 to remove the  
following reference:

[RFC 3075]  D. Eastlake, J. Reagle, D. Solo. XML-Signature Syntax and  
Processing. IETF
RFC 3075, March 2001. See http://www.ietf.org/rfc/rfc3075.txt.

---

regards, Frederick

Frederick Hirsch
Nokia


[1] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/

[2] http://www.w3.org/TR/xml-c14n11/

[3] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/explain

[4] http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved- 
errata-2.0.pdf