W3C home > Mailing lists > Public > public-xmlsec@w3.org > July 2009

RE: Comments on reading of WS-I constraints on DSig (Issue 9)

From: Scott Cantor <cantor.2@osu.edu>
Date: Thu, 2 Jul 2009 11:10:08 -0400
To: "'Edgar, Gerald'" <gerald.edgar@boeing.com>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <03d501c9fb27$2fd515c0$8f7f4140$@2@osu.edu>
Edgar, Gerald wrote on 2009-07-01:
> WS-I BSP addresses Transforms as one unit and references a number of
> specifications from  the W3C in specifying how to form the transform
> structures, but these are based on XML-DSIG 1.0.   In DSIG 1.1
> (http://www.w3.org/TR/2009/WD-xmldsig-simplify-20090226/)  transforms
> are broken up into three sections "Selection, Transforms and
> Canonicalization".

It's 2.0 where we want to change things, not 1.1, but yes, this is going to
impact every downstream spec that tried to simplify the situation.

As I've been trying to convince people in the XRI TC, the profile of XMLSig
that SAML uses is essentially an example of the same kind of simplification
that Prateek is proposing, just expressed in terms of constraints on the
original syntax and transforms, rather than bundled into a new transform.

You limit yourself to Enveloped + Excl C14N, and allow only a single
reference to an ID-based element at the root of a subtree. That lets you
implement the simplified excl c14n algorithm described in that spec, which
in turn is roughly similar to what we're trying to do in 2.0.

So anything that was sort of on the road to simplifying things via profile
has to either stick with that, or rev to rely on the new approach.

My expectation is that some people (ok, me) will implement new signature
libraries that implement only this constrained approach (probably without
XPath as well), and we'll special-case the old profile(s) to support it
alongside the new model.

-- Scott
Received on Thursday, 2 July 2009 15:10:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:59 GMT