- From: Ed Simon <edsimon@xmlsec.com>
- Date: Thu, 25 Jul 2002 10:24:50 -0400
- To: <reagle@w3.org>, "Carl Ellison" <cme@jf.intel.com>
- Cc: "XML Signature \(W3C/IETF\)" <w3c-ietf-xmldsig@w3.org>
I guess the questions to me is "what XML processing capability does the constrained device have?". Can it, for example, do at least SAX parsing? If so, I think that should be enough because if UPnP requires a certain c14n and sufficiently constrains the XML context in which an XML Signature can be carried, then the validator can assume that c14n was then used. Depending on the UPnP details, which I would have to see before I get too speculative, the validator need only use XML-aware processing to extract from the received signature, the digest, digest method (if variable), the signature value, the signature method (if variable), key info, and assurance the signature covers what it is supposed to. The rest would be some optimization trickery which is a bit more than I can write at the moment but suffice to say the more assumptions one can earnestly make about the input signature, the less computing one needs to do. The validator need not have a general purpose XML Signature processor, just one that can handle the signature types it expects to receive. Ed ---------------------------------------------------------------------------- ------------------------------------------- Ed Simon <edsimon@xmlsec.com> (613) 726-9645 XMLsec Inc. Interested in XML Security Training and Consulting services? Visit "www.xmlsec.com". ----- Original Message ----- From: "Carl Ellison" <cme@jf.intel.com> To: <reagle@w3.org> Cc: "XML Signature (W3C/IETF)" <w3c-ietf-xmldsig@w3.org> Sent: Wednesday, July 24, 2002 8:34 PM Subject: Re: minimal canonicalization > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > At 03:07 PM 7/24/2002 -0400, Joseph Reagle wrote: > >On Wednesday 24 July 2002 01:13 pm, Carl Ellison wrote: > >> We actually have devices that are resource constrained and need to > >> do minimal canonicalization (as part of UPnP), but the way this > >> recommendation is written, it suggests that the constrained device > >> control its output. > > > >Is the constrained device generating a signature. If so, yes, it's > >generating and controlling it's output. > > > >> In fact, if we have two devices, one powerful > >> and doing C14-N and one constrained, it is the powerful one that > >> has to make sure its output is canonicalized. > > > >I don't yet understand the scenario. > > > We are using XML DSig to sign SOAP commands for UPnP. Each SOAP > command is an XML structure. We aren't signing documents but rather > messages (or parts of messages, to be more precise). > > In that case, you have a sender and a receiver. If the sender is > powerful, it is generating the signature and controlling its output, > but it has no reason to use anything but C14N. However, the receiver > is limited in CPU power (and possibly memory) and needs to > canonicalize the incoming message in order to verify the signature. > That's the one that can't afford C14N. > > - Carl > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.1 > > iQA/AwUBPT9HncxqBGb+WvJAEQKa7ACgnYn2ko9GbdZYsnfPQ8jsb+GTb2EAoIq/ > 5/AfChm5h2u9P18kGj/niHmv > =BV4q > -----END PGP SIGNATURE----- > > > +--------------------------------------------------------+ > |Carl Ellison Intel Labs E: cme@jf.intel.com | > |2111 NE 25th Ave T: +1-503-264-2900 | > |Hillsboro OR 97124 F: +1-503-264-6225 | > |PGP Key ID: 0xFE5AF240 C: +1-503-819-6618 | > | 1FDB 2770 08D7 8540 E157 AAB4 CC6A 0466 FE5A F240 | > +--------------------------------------------------------+ > >
Received on Thursday, 25 July 2002 10:25:11 UTC