Re: Canonical XML error

Thanks, Scott for the clarification.

Apologies Steve if I misread the question.

The original Canonical XML requirements stated that the result of Canonical XML should be well-formed (section 3, number 2):

http://www.w3.org/TR/1999/NOTE-xml-canonical-req-19990605

XML Security 1.1 requirements discusses the changes needed but did not change this requirement,  http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html

XML Security 2.0 modified this requirement, explicitly stating that "Canonical output need not be valid XML" (section 3.3.2.2)

http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs2/Overview.html#modified-requirements

We'll have to look at this more carefully.

regards, Frederick

Frederick Hirsch
Nokia



On Sep 7, 2011, at 10:57 AM, ext Cantor, Scott wrote:

> On 9/7/11 10:51 AM, "Frederick.Hirsch@nokia.com"
> <Frederick.Hirsch@nokia.com> wrote:
>> 
>> It is  the job of an XML document author to produce well-formed XML
>> before any considerations of signing/encryption and XML Canonicalization.
>> Any required escaping happens before security processing, and there are a
>> variety of choices that can be made
>> for such escaping, as well as other representation of information.
>> Canonical XML is agnostic to these choices.
> 
> I think his point is that in the process of following the spec, c14n
> replaces those character references with the actual characters. So I think
> the result of that is non-well-formed. I can't recall if it's an explicit
> guarantee of c14n that the output be well-formed. I suspect it was a goal,
> but not a guarantee. If so, it's not a bug, but perhaps something to
> address in 2.0.
> 
> -- Scott
> 

Received on Wednesday, 7 September 2011 15:09:43 UTC