OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xcbf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xcbf] [Fwd: Re: New specs: Exclusive C14N REC; and XPath Filter2 CR]

Interesting comments on security, namespaces
and multiple canonicalizations below. Thankfully
not in our problem set.


-------- Original Message --------
Subject: Re: New specs: Exclusive C14N REC; and XPath Filter2 CR
Resent-Date: Wed, 7 Aug 2002 00:03:36 -0400 (EDT)
Resent-From: w3c-ietf-xmldsig@w3.org
Date: Wed, 7 Aug 2002 00:03:33 -0400 (EDT)
From: Donald Eastlake 3rd <dee3@torque.pothole.com>
To: Rich Salz <rsalz@datapower.com>
CC: "XML Signature (W3C/IETF)" <w3c-ietf-xmldsig@w3.org>

Canonicalization can be hard even when things are simple, as in 
ASN.1 encoding. With XML, it is very hard and different 
applications can
easily need different canonicalizations.

It may be that the current W3C XML Canonicalizations have not bee 
adapted to Schema and to the sort of application they are talking 
where messages are shredded to their data elements, stored in a
database, and those data element are later retrieved and used to
reconsitute messages. I've writte code that does just that sort 
of thing
for ASN.1 SET messages so I know what they are talking about.

However, the reasons from not canonicalization namespaces 
prefixes are
explained in Canonical XML. If you are talking about an application
which will NEVER encouter those problems, then it would be nicer to
canonicalize prefixes. But a growing number of W3C Recommendations
encourage absolute prefix names inside attribute and element 
values and
the use of such Recommmendations in messages signed with 
prefixes will be insecure. (Actually, it can be made secure for a
restricted subset of messages that use only such Recommendations 
as are
explicitly understood by and provided for in the Canonicalization but
will be insecure as soon as a new such Recommendation comes along or
the application itself makes use of prefixes embedded in data 
that the
Canonicalization does not explicitly understand.)

There point about "just an attribute node" might be due a warning but
there is no reason people should not be able to sign so as to omit
namespace declarations if they want. There are lots of ways you 
can do
something where you either shoot yourself in the foot or get the 
(perahps unusual) effect you want, depending on your application.

Whether the things they have to say about the W3C 
Canonicalizations are
"limitations" or "necessities" depends on your application.

  Donald E. Eastlake 3rd 
  155 Beaver Street              +1-508-634-2066(h) 
  Milford, MA 01757 USA 

On Tue, 6 Aug 2002, Rich Salz wrote:

 > Date: Tue, 6 Aug 2002 21:26:14 -0400 (EDT)
 > From: Rich Salz <rsalz@datapower.com>
 > To: Joseph Reagle <reagle@w3.org>
 > Cc: "XML Signature (W3C/IETF)" <w3c-ietf-xmldsig@w3.org>
 > Subject: Re: New specs: Exclusive C14N REC; and XPath Filter2 CR
 > Resent-Date: Tue, 6 Aug 2002 21:26:01 -0400 (EDT)
 > Resent-From: w3c-ietf-xmldsig@w3.org
 > Does anyone here have comments on the UDDI C14N spec?
 > in particular, section 1.1 comments on the limitations of the 
 > standards.
 > 	/r$

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC