W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: CanonicalizationMethod

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Mon, 31 Jul 2000 14:13:05 -0700
Message-Id: <3.0.5.32.20000731141305.013dd5d8@localhost>
To: Thomas Maslen <maslen@dstc.edu.au>
Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
At 18:20 7/31/2000 +1000, Thomas Maslen wrote:
 >One last vestige (I think) of the no-longer-optional
CanonicalizationMethod 
 >that I didn't notice last time around...  in the editors' copy at
 >
 >	http://www.w3.org/Signature/Drafts/WD-xmldsig-core-latest/
 >
 >section "3.2.2 Signature Validation", item 3 says "(optionally
canonicalized)".
 >Should it be just "(canonicalized)" now?

Noted and fixed!

 >Also, step 1 of section 3.2.1 is exactly the same as step 1 of section
3.2.2.
 >I understand why it's in 3.2.2, and I'm willing to believe that it may also
 >be necessary in 3.2.1 to stave off some attack, but it looks for all the
world 
 >like a cut-and-paste error -- perhaps it needs some text in parentheses
that 
 >boils down to "yes, we really do mean this, and here's why"?  (And, if
this is 
 >necessary, should it be hoisted above "For each Reference in SignedInfo:"
?).
 
That's been mentioned before and I your recommendation is a good one:

Canonicalize the SignedInfo element based on the CanonicalizationMethod in
SignedInfo (so as to ensure the application Sees What is Signed, which is
the canonical form).

_________________________________________________________
Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
Received on Monday, 31 July 2000 14:12:46 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT