W3C home > Mailing lists > Public > public-xmlsec@w3.org > April 2010

RE: Action-539: review C14N2.0

From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 20 Apr 2010 13:05:27 -0400
To: "'Karel Wouters'" <karel.wouters@esat.kuleuven.be>
Cc: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <01ba01cae0ab$ac726cd0$05574670$@2@osu.edu>
> The signer might not be the one who has produced the document, so he
> might not be in a position to decide what's meaningless.

Yes, that's true, so he probably wouldn't be using that option.
 
> But at the same time, those users might add xml:space=preserve when
> enveloping the signature in another document, precisely to protect all
> their pretty-printing.

Schemas/grammars/specs would have to explicitly permit xml:space to appear
on the root element for that to be a concern. And would those users really
think to do this? Doesn't seem likely to me.

> They don't know that pretty printing will kill
> the signature, so surely they don't know that xml:space=preserve will do
> the same.

Yes, but pretty printing is pretty common, and xml:space is not so much, is
it?

> Conclusion: trimTextNode=true is to be included when signers expect that
> pretty printing will mess up the signature, but can be problematic for
> those pretty printers that also include xml:space=preserve
> 
> So it doesn't protect against all mess-ups, but at least against a
> (considerable?) part of it.

In the cases I'm aware of, "considerable" borders on "virtually all".

-- Scott
Received on Tuesday, 20 April 2010 17:06:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 20 April 2010 17:06:27 GMT