W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: Widget Signature modification proposal (revised)

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Wed, 7 Apr 2010 09:24:00 -0400
Cc: "ext kuehne@trustable.de" <kuehne@trustable.de>, "tlr@w3.org" <tlr@w3.org>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-Id: <BC497B1C-A932-4173-A501-81A9D2FE0578@nokia.com>
To: "Hirsch Frederick (Nokia-CIC/Boston)" <Frederick.Hirsch@nokia.com>
umm, not FPWD, rather updated WD ...

Also, the 2.0 requirements document is here: http://www.w3.org/TR/2010/WD-xmlsec-reqs2-20100204/

The latest publications status of all 1.1 and 2.0 XML Security  
documents is at  http://www.w3.org/2008/xmlsec/wiki/PublicationStatus

regards, Frederick

Frederick Hirsch
Nokia



On Apr 7, 2010, at 9:19 AM, Hirsch Frederick (Nokia-CIC/Boston) wrote:

> Thanks Andreas
>
> Yes it seems counter-intuitive not to canonicalize XML, but  it is
> really only needed once the XML has been parsed, and avoiding
> canonicalization saves resources.
>
> Are you aware of the XML Security WG  and the recent FPWD of Canonical
> XML 2.0 [1] and XML Signature 2.0 [2]? These are intended to improve
> simplicity, usability, streamability, reduced attack surface etc. Your
> comments would be very welcome!
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
> [1] http://www.w3.org/TR/2010/WD-xml-c14n2-20100304/
>
> [2] http://www.w3.org/TR/2010/WD-xmldsig-core2-20100304/
>
>
> On Apr 7, 2010, at 9:00 AM, ext kuehne@trustable.de wrote:
>
>> Hi Frederik, hi Thomas !
>>
>> I don't want to critisize the decisions taken by your group. To keep
>> implementations and testing easy is a good reason !
>>
>> But from my outside view it's a bit suprising : Seeing that XMLDSig
>> is used let's me expect a complex solution. So it would be good to
>> read at the introduction level that the use of  XMLDSig is limited
>> to a small subset and doesn't necessarily implies a huge
>> infrastructure.
>>
>> Another aspect of XMLDSig's complexity is the way people used work
>> with it. For example I would add a canonicalization step to each
>> external XML document without thinking about it ... So I would
>> mandate an explicit note in the spec and maybe a special error
>> definition in case a canonicalization is used or other widget
>> specific constraints are violated.
>>
>> Greetings
>>
>> Andreas
>>
>> ----- original Nachricht --------
>>
>> Betreff: Re: Widget Signature modification proposal (revised)
>> Gesendet: Mi, 07. Apr 2010
>> Von: Frederick Hirsch<Frederick.Hirsch@nokia.com>
>>
>>> Andreas
>>>
>>> The intent of the proposed change is to remove ambiguity and thus
>>> enable interop - not to make it more complicated.
>>>
>>> I think having a clear profile with fewer choices should make it
>>> simpler for implementation.
>>>
>>> This may be on the agenda for the call this Thursday.
>>>
>>> regards, Frederick
>>>
>>> Frederick Hirsch
>>> Nokia
>>>
>>>
>>>
>>> On Apr 7, 2010, at 6:04 AM, ext Thomas Roessler wrote:
>>>
>>>> kuehne@trustable.de wrote:
>>>>> from the implementors perspective these modifications don't
>>>>> introduce too much trouble. But I'm a little bit concerned about
>>>>> the explicit ban of canonicalizations for 'external' documents  
>>>>> like
>>>>> config.xml.
>>>>
>>>> It is, in the first place, the default behavior of the XML  
>>>> Signature
>>>> Reference Processing Model for external documents.
>>>>
>>>> You're right that there's a possible design choice here to *permit*
>>>> (not
>>>> mandate) canonicalization regardless. It sounds like you suggest
>>>> that
>>>> the WG make that choice, by not prohibiting use of C14N for XML
>>>> content,
>>>> but simply leaving it open?
>>>>
>>>
>>>
>>>
>>
>> --- original Nachricht Ende ----
>>
>
Received on Wednesday, 7 April 2010 13:24:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT