- From: Ed Simon <edsimon@xmlsec.com>
- Date: Thu, 25 Jul 2002 10:07:35 -0400
- To: "Christian Geuer-Pollmann" <geuer-pollmann@nue.et-inf.uni-siegen.de>, "Carl Ellison" <cme@jf.intel.com>, <reagle@w3.org>
- Cc: "XML Signature \(W3C/IETF\)" <w3c-ietf-xmldsig@w3.org>
I am not familiar enough with UPnP, but from what I have seen, it seems quite possible that there may be intermediaries who have to do some XML processing before forwarding the SOAP message to the validating entity. If this is the case, you cannot guarantee that the canonical form sent is what was received. Maybe Carl can clarify. Ed ---------------------------------------------------------------------------- ------------------------------------------- Ed Simon <edsimon@xmlsec.com> (613) 726-9645 XMLsec Inc. Interested in XML Security Training and Consulting services? Visit "www.xmlsec.com". ----- Original Message ----- From: "Christian Geuer-Pollmann" <geuer-pollmann@nue.et-inf.uni-siegen.de> To: "Carl Ellison" <cme@jf.intel.com>; <reagle@w3.org> Cc: "XML Signature (W3C/IETF)" <w3c-ietf-xmldsig@w3.org> Sent: Thursday, July 25, 2002 4:18 AM Subject: Re: minimal canonicalization > > > > --On Mittwoch, 24. Juli 2002 17:34 -0700 Carl Ellison <cme@jf.intel.com> wrote: > > > In that case, you have a sender and a receiver. If the sender is > > powerful, it is generating the signature and controlling its output, > > but it has no reason to use anything but C14N. However, the receiver > > is limited in CPU power (and possibly memory) and needs to > > canonicalize the incoming message in order to verify the signature. > > That's the one that can't afford C14N. > > The sender c14nizes to create the input for the digest. Right. But--the sender is free to even output canonical XML, so that the receiver already get's the canonical form. In that special case, there would be no necessity to c14nize because it is already done. > > Christian > >
Received on Thursday, 25 July 2002 10:08:03 UTC