- From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Date: Wed, 7 Apr 2010 09:19:55 -0400
- To: "ext kuehne@trustable.de" <kuehne@trustable.de>
- Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "tlr@w3.org" <tlr@w3.org>, "public-webapps@w3.org" <public-webapps@w3.org>
Thanks Andreas Yes it seems counter-intuitive not to canonicalize XML, but it is really only needed once the XML has been parsed, and avoiding canonicalization saves resources. Are you aware of the XML Security WG and the recent FPWD of Canonical XML 2.0 [1] and XML Signature 2.0 [2]? These are intended to improve simplicity, usability, streamability, reduced attack surface etc. Your comments would be very welcome! regards, Frederick Frederick Hirsch Nokia [1] http://www.w3.org/TR/2010/WD-xml-c14n2-20100304/ [2] http://www.w3.org/TR/2010/WD-xmldsig-core2-20100304/ On Apr 7, 2010, at 9:00 AM, ext kuehne@trustable.de wrote: > Hi Frederik, hi Thomas ! > > I don't want to critisize the decisions taken by your group. To keep > implementations and testing easy is a good reason ! > > But from my outside view it's a bit suprising : Seeing that XMLDSig > is used let's me expect a complex solution. So it would be good to > read at the introduction level that the use of XMLDSig is limited > to a small subset and doesn't necessarily implies a huge > infrastructure. > > Another aspect of XMLDSig's complexity is the way people used work > with it. For example I would add a canonicalization step to each > external XML document without thinking about it ... So I would > mandate an explicit note in the spec and maybe a special error > definition in case a canonicalization is used or other widget > specific constraints are violated. > > Greetings > > Andreas > > ----- original Nachricht -------- > > Betreff: Re: Widget Signature modification proposal (revised) > Gesendet: Mi, 07. Apr 2010 > Von: Frederick Hirsch<Frederick.Hirsch@nokia.com> > >> Andreas >> >> The intent of the proposed change is to remove ambiguity and thus >> enable interop - not to make it more complicated. >> >> I think having a clear profile with fewer choices should make it >> simpler for implementation. >> >> This may be on the agenda for the call this Thursday. >> >> regards, Frederick >> >> Frederick Hirsch >> Nokia >> >> >> >> On Apr 7, 2010, at 6:04 AM, ext Thomas Roessler wrote: >> >>> kuehne@trustable.de wrote: >>>> from the implementors perspective these modifications don't >>>> introduce too much trouble. But I'm a little bit concerned about >>>> the explicit ban of canonicalizations for 'external' documents like >>>> config.xml. >>> >>> It is, in the first place, the default behavior of the XML Signature >>> Reference Processing Model for external documents. >>> >>> You're right that there's a possible design choice here to *permit* >>> (not >>> mandate) canonicalization regardless. It sounds like you suggest >>> that >>> the WG make that choice, by not prohibiting use of C14N for XML >>> content, >>> but simply leaving it open? >>> >> >> >> > > --- original Nachricht Ende ---- >
Received on Wednesday, 7 April 2010 13:20:48 UTC