- From: Scott Cantor <cantor.2@osu.edu>
- Date: Mon, 26 Jan 2009 14:20:43 -0500
- To: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
- Cc: "'Pratik Datta'" <pratik.datta@oracle.com>
Mainly just interested in strengthening the message here about the breaking change, and getting c14n into the discussion up front, since the note is actually intended to propose a breaking change to both as it currently stands. I also added a line about the fact that some use cases that are supported now literally wouldn't be. I think that's really the point here, since that's what tends to get people's hackles up. Here's a suggested replacement for section 1: ---- The Reference processing model and associated transforms currently defined by XML Signature [XMLDSIG2nd] are very general and open-ended, which complicates implementation and allows for misuse, leading to performance and security difficulties. Support for arbitrary canonicalization algorithms, and the complexity of the existing algorithms in order to meet various generic requirements is also a source of problems. Current experience with the use of XML Signature suggests that a simplified reference, transform, and canonicalization processing model would address the most common use cases while improving performance and reducing complexity and security risks [XMLSecNextSteps] [BradHill]. This document outlines a proposed change to the XML Signature processing model to achieve these goals. It also outlines use cases and the new requirements associated with the suggested changes. It should be noted that this proposal is not for an additional constrained processing model, but for an actual replacement of the existing generically extensible model that exists now. Thus, the changes proposed in this document would be a breaking change to XML Signature, necessitating new implementations and possibly precluding the ability to support some use cases currently supported. Thus, before making such a change in a proposed new version of XML Signature, the XML Security Working Group would like to obtain additional feedback on this proposal. The purpose of this document is to solicit early feedback. ---- -- Scott
Received on Monday, 26 January 2009 19:21:30 UTC