Re: Changes to C14N 2.0 from Frederick.Hirsch@nokia.com on 2011-01-04 (public-xmlsec@w3.org from January 2011)

From: <Frederick.Hirsch@nokia.com>
Date: Tue, 4 Jan 2011 14:27:41 +0100
To: <pratik.datta@oracle.com>
CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>
Message-ID: <323B00DD-AE65-4895-AD9F-AC2C68DA8861@nokia.com>

comments inline. Thanks for making these updates.

regards, Frederick

Frederick Hirsch
Nokia

On Jan 4, 2011, at 2:28 AM, ext Pratik Datta wrote:

http://www.w3.org/2008/xmlsec/Drafts/c14n-20/ Version 03 Jan 2011

Made the following changes
- All changes decided in TPAC 2010 http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0006.html
- ACTION-680 scanning XPath for prefixes
- ACTION-692 hilight that Inclusive has been removed completely
- ACTION-712 XPathElement child of QNameAware
- ACTION-714 warning about not redefiniting xml and xmlns prefixes
- ACTION-715 scanning XPath for prefixes

While making the changes I realized a few problems
1. We removed Inclusing canonicalization completely, however the abstract of the document says “Canonical XML Version 2.0 is a major rewrite of Canonical XML Version 1.1 and Exclusive Canonical XML 1.0 … It combines inclusive and exclusive canonicalization algorithms into a single algorithm, that takes the canonicalization mode as a parameter.” If we remove inclusive canonicalization , can we still say that Canonical XML 2.0 is a successor to Canonical XML 1.0?

Not sure why we need to say this, simply say what it is, 2.0 canonicalization for XML Signature 2.0, suitable for streaming etc. I suggest we remove the text you mention

2. Section “2.4 The need for Exlcusive Canonicalization” needs to be moved to a different location and also modified. It was written to introduce exclusive to people who were familiar with inclusive, however that doesn’t apply any more since we removed inclusive.

I think material on how this differs from and relates to previous work should be put into the introduction but only as a brief paragraph or two.

3. Currently the behavior of TrimTextNodes parameter depends on xml:space= “preserve” . But this doesn’t make sense in exclusive mode. Because we are not supposed to rely on ancestor context in exclusive mode.. I say that we completely ignore xml:space.

We should be explicit if we do this and say it is ignored.

4. CURIE doesn’t make sense in exclusive mode also. First of all we removed such a basic thing like Inclusive canonicalization. Should we even put in something like CURIE in C14N 2.0? Secondly we don’t have the CURIE context in C14N 2.0, so how do we even do visibly utilized. E.g. in the following snippet <a prefix="cc:http://creativecommons.org/ns#" rel="cc:license"> the "cc:license" is a compact way for saying " http://creativecommons.org/ns#license" . But C14N 2.0 will not look at the prefix definition at all, so it cannot interpret this.

sounds like we can simplify here, which is probably good...

5. We are down to 4 parameters, and we are saying that only the default values are MANDATORY to implement. Non defaults are OPTIONAL. I suggest we make them all MANDATORY, otherwise certain basic things like the solution to the XPAth wrapping attack will not be available.

we should discuss this - comments on the list anyone?

Pratik
-

Received on Tuesday, 4 January 2011 13:33:31 UTC