W3C home > Mailing lists > Public > public-xmlsec@w3.org > January 2009

proposed text on DTDs for Transform Simplification: Requirements and Design

From: Brad Hill <brad@isecpartners.com>
Date: Wed, 14 Jan 2009 13:54:41 -0800
To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <7E3B942D6F9AE64EA28CE80B7283C1EC21065F3FD6@exch01.isecpartners.com>

4.2.1  Processing of DTDs

It should also be noted in the context of proposed changes to the transform processing model that canonicalization/pre-hashing algorithms to be defined for XML Signature 2.0 are likely not to imply DTD validation and entity expansion.  The choice and order of DTD resolution and entity expansion relative to signature creation and validation would thus fall to application workflow outside of core XMLDSIG.  The change will introduce additional complexity for applications relying on entities, but entity expansion as a mandatory part of signature validation is incompatible with core requirements of XMLDSIG.  For example, DTD processing makes time and resource requirements for core validation non-deterministic, introduces difficult-to-control resource resolution requirements and requires tight coupling between validators and signed content consumers to ensure they have the same view of DTDs.

The working group invites comments on this change and whether it would necessitate an additional, OPTIONAL, attribute or other declaration to indicate DTD validation and entity expansion prior to hashing (perhaps with the DTD itself mandatorily included as a reference in the same signature) to support common use cases in the community.
Received on Wednesday, 14 January 2009 21:55:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:57 GMT