Re: SOAP Message Canonicalization

[Continuing to trim the headers as the discusison gets more specific.]

On Friday 10 January 2003 12:40, Rich Salz wrote:
> > Sorry for the confusion, I meant specify a transform and assign it a
> > URI. Then assign another URI to the combination of the transform
> > specified and exclusive canonicalization as a 'new' canonicalization
> > algorithm.

I feel like I understand Marc, but I'm not following you Rich.

> As it says, exclusive canonicalization is meant to address issues that
> come up when a signed message is packaged/enveloped.  Since the
> SignedInfo element itself is subject to the same package/enveloping
> issues, then one might want c14n-excl on  the SignedInfo element. But
> since you can't do arbitrary transforms, then each time you want to
> mix-and-match, you have to define a new URI that represents that
> combination.

This is true. However I don't think any of the conditions in [1] apply to 
SignedInfo. So SOAP Message Canonicalization would never have to be used 
over a SignedInfo.

[1] 
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2003JanMar/att-0000/01-soap-c14n.html#N201

> Ugh.  Kiss interop goodbye.

Even if SOAP Message Canonicalization needed to be used against SignedInfo, 
then that argues for a single URI. But I don't see how that affects 
interop.
-- 
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Friday, 10 January 2003 13:16:48 UTC