- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Sun, 19 Nov 2000 22:13:43 -0500
- To: w3c-ietf-xmldsig@w3.org
The problems of white space have been discussed quite extensively. Requiring validation of all signed XML means that you don't have a general XML digital signature standard because you can't sign arbitrary XML protocol inclusions or make a general closed box XML siganture library. You have made secure XML non-extensible except under the (in my opinion generally unrealistic) requirement that the DTD/Schema for all signed data which is processed as XML accompany that data or have be prviously incorporated into all the software that would every have to create/verify the signatures. If you know, for some specific application, that white space or anything else is insignificant, you can certainly define canonicalizations and/or transformations to strip out the insignificant information. Thanks, Donald From: Kevin Regan <kevinr@valicert.com> Date: Wed, 15 Nov 2000 14:10:52 -0800 To: John Boyer <jboyer@PureEdge.com>, Kevin Regan <kevinr@valicert.com> Cc: w3c-ietf-xmldsig@w3.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E3CB13A@exchange.valicert.com> >It seems that most folks will not be getting the expected results >with signatures. Any transport that modifies insignificant white space >will break the signature. I would assume that in most protocols that >send XML documents, insignficant white space is removed for efficiency >reasons. In addition, whenever a document is displayed (such as in IE), >the spacing is changed (in fact, the spacing of the examples at the end >of the XML C14N spec are probably spaced according to the displaying >application). Finally, the size of a document can not be minimized when >being stored because the signature would break. > >Interoperability with non-validating processors might be a noble cause, >but it may cause many more problems for those (the majority?) using >validating processors. I predict a large number of problems down the >road for many applications... > >--Kevin > >-----Original Message----- >From: John Boyer [mailto:jboyer@PureEdge.com] >Sent: Wednesday, November 15, 2000 2:06 PM >To: Kevin Regan >Cc: w3c-ietf-xmldsig@w3.org >Subject: RE: question on latest spec > > >Hi Kevin, > >The reason is signature interoperability with non-validating processors. > >I empathize, though :) > >Thanks, >John Boyer > > >-----Original Message----- >From: Kevin Regan [mailto:kevinr@valicert.com] >Sent: Wednesday, November 15, 2000 1:50 PM >To: John Boyer >Cc: w3c-ietf-xmldsig@w3.org >Subject: RE: question on latest spec > > > >What is the reason for doing this? Isn't the exclusion of insignificant >white space one of the key forms of equivalence? XML documents can be >displayed and handled in many different ways, with white space being >added >or removed from element content at various steps. In general, this is >not a problem if a DTD is being used. The meaning of the document >is clear. However, this form of equivalence is eliminated in the XML >C14N >specification. Why? > >Sincerely, >Kevin Regan > > >-----Original Message----- >From: John Boyer [mailto:jboyer@PureEdge.com] >Sent: Wednesday, November 15, 2000 1:12 PM >To: Kevin Regan; w3c-ietf-xmldsig@w3.org >Cc: Joseph Reagle >Subject: RE: question on latest spec > > >Hi Kevin, > >Actually, Section 2.10 of the XML spec makes it quite clear that all XML >processors must be capable of providing to the application ALL >whitespace >within the document element. Validating processors must further be >capable >of telling the application whether a given whitespace character appeared >in >element content, i.e. was insignificant. > >Many implementers of validating processors allow the application >developer >to configure whether the whitespace should simply be discarded. > >The statement you've come across in Section 2.1 is telling you how to >configure your validating parser. You MUST set it so that all >whitespace is >reported to the canonicalizer. > >NOTE: I don't see any harm in throwing out insignificant whitespace >*before* >the document is signed. In other words, the original document accessed >by >the user from the web may have insignificant whitespace that your >application strips out before even presenting the information content to >the >end-user. Once the end user affixes a signature, though, any >insignificant >whitespace that gets added to the signed document will break the >signature. > >John Boyer >Development Team Leader, >Distributed Processing and XML >PureEdge Solutions Inc. >Creating Binding E-Commerce >v: 250-479-8334, ext. 143 f: 250-479-3772 >1-888-517-2675 http://www.PureEdge.com <http://www.pureedge.com/> > > > >-----Original Message----- >From: w3c-ietf-xmldsig-request@w3.org >[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Kevin Regan >Sent: Sunday, November 12, 2000 6:20 PM >To: w3c-ietf-xmldsig@w3.org >Subject: question on latest spec > > > >I've been a way on other activities for a while, and have just recently >gotten back to >the XML C14N specification. I came across the following in section 2.1: > >"All whitespace within the root document element MUST be preserved >(except for any #xD characters deleted by line delimiter normalization). >This includes all whitespace in external entities. Whitespace outside of >the root document element MUST be discarded." > >I'm assuming that this means white space that is presented after the >document is processed >by the XML processor. When a validating XML processor reads in a >document against a DTD, >insignificant white space is removed. This is not the white space that >the specification is >referring to, is it? > >Sincerely, >Kevin Regan
Received on Sunday, 19 November 2000 22:09:25 UTC