OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Proposed text on C14N

> but why should
> we require canonicalization that adds any xmlns attributes to the XML being
> signed?

Suppose you have this document, where (via out of band or DTD) we know that
ID is an ID attribute:
    <outer xmlns:i="urn:foo.com">
        <a:inner xmlns:a="urn:a">
            <i:innermost ID="foo">foo</i:innermost>
        </a:innert>
    </outer>

XML DSIG lets you sign
        <dsig:Reference uri="foo">...
In order to perperly sign the innermost element, you *have* to import
the xmlns:i attribute from the outer element.  XML C14N was developed
to let you sign a subset of a document; without it, the following
would verify against the original signature, and that's clearly wrong:
    <outer xmlns:i="urn:foo.com">
        <a:inner xmlns:a="urn:a" xmlns:i="urn:i">
            <i:innermost ID="foo">foo</i:innermost>
        </a:innert>
    </outer>

Contrary to what someone else posted (name escapes me), I strongly believe
that exc-c14n is *not* weaker htan xml-c14n.  It *can* be more inconvenient,
and can require close integration with the application, if the XML being
treated uses QNAMES as attribute values or element context.

I believe we should recommend EXC-C14N.  It's designed to handle the
case of xml being wrapped, which is what we're talking about here -- XML
document being put inside a SOAP message, and being secured.  Its problems
can be avoided by judicious avoidance of QNAMES as data; that is generally
something the application can address.  If we expect most SOAP and WS-Security
libraries to be generic toolkits, as opposed to custom applications written
by application developers, then we cannot expect them to have such fine-grain
control over the namespace declarations used by the SOAP framework, and
therefore XML-c14n will not be viable.

>In your last paragraph you raise an interesting point - is it unique to
>SOAP signing?

No.  There are a whole passle of issues involved in embedding XML in
XML (such as character encoding, DTD's [conveniently disallowed by
SOAP], conflicting ID/IDREF attributes), but that is really an XML
problem; SOAP can address it by using attachments, where the SOAP
body is a referrent, as imposed to inline.

        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]