W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2000

XML Signature use of Canonical XML (Was: Minutes for XML Core WG telcon of 2000 Apr 5)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Thu, 06 Apr 2000 18:57:03 -0400
Message-Id: <>
To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
The Core WG has been trying to decide what to do with the Canonical XML spec
as they have many deliverables on their plate and presently we are the only
consumer (though I believe we are only the first, there will be many other
applications with requirements similar to our own.) I hope they will produce
another draft soon, and there is sometimes talk of them handing the spec off
to us, but nothing conlusive so far. However, I did try to update them on my
view of this WG's view of that spec. Any thoughts are appreciated.

Forwarded Text ----
 Date: Thu, 06 Apr 2000 18:50:56 -0400
 To: w3c-xml-core-wg@w3.org
 From: "Joseph M. Reagle Jr." <reagle@w3.org>
 Subject: XML Signature use of Canonical XML (Was: Minutes for XML Core WG
telcon of 2000 Apr 5)
 [Note: I had an agreement with the Core's predessor (Syntax) for
cross-posting any c14n relevent information to the public list. I'm not
cc'ing this, but will make this information available in some way -- I'd
like to forward it if I could have a similar understanding with the Core WG.
Also, this is only my summary of the WG's position and likely direction, but
not a formal/endorsed statement.]
 The XML Signature WG's approach on the c14n issue has been mixed because of
a difference between those who planned to approach the processing of XML in
the Infoset/DOM manner (that requires node serialiazation and
canonicalization), and those that wanted to process it merely as characters
(that required some line feed and CR canonicalization at most.) Our
compromise was to require "minimal" and strongly recommend XML Canonical.
 However, during last call (which ended yesterday) there's been substantive
call for removing minimal all together based on implementation experience
[1], though the security concerns associated with XML Canonical are still
raised [2]. I expressed my view that "We've been trying to play agnostic
between XML as XML, and XML as a character sequence, but I believe the spec
should follow the implementations, which seem to be adopting the XML toolkit
(XML as XML) route." [3] Consequently, the advancement of Canonical XML is
very important to us even though we still have our own difficult
consensus/balancing act between XML-as-XML and something some security folks
are comfortable with.
 I'm looking forward to the next draft of the spec that resolves some of the
other comments sent during last call [4] (though I know the Core WG is very
busy). Also, the Signature WG identified in our comments  [5] that we're
going to have to figure out some way canonicalize XML fragments (i.e.
serialized returns of XPath), though I'm beginning to wonder if this would
be a useful feature to include in the Canonical XML spec itself? Gregor
Karlinger has suggested that the fragments be wrapped in a declaration and a
specific element from the Signature element type in our case, though that
could be generalized. [6]

End Forwarded Text ----

Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
Received on Thursday, 6 April 2000 18:57:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:33 UTC