OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] canonicalization for XACML instances being signed

For what it's worth, I think making signed XACML assertions depend on UDDI's
schema canonicalization is a bad idea.  For example, I can't recall
schema-c14n *ever* being mentioned in the WS-Security group.

> Related question: do we actually need to deal with canonicalized
> XACML schema instances?  If the instances are always signed and
> signature-verified in their unparsed text/octetstring form, then
> there is no need for canonicalization.

Or rather, there's no need for C14N that's schema-aware.  You can just
use the common c14n and exc-c14n mechanisms as may be appropriate.

I strongly encourage you to treat it as you describe above.
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]