W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2004

RE: Encoding of signed document question

From: Ed Simon <edsimon@xmlsec.com>
Date: Tue, 21 Dec 2004 13:35:11 -0500
Message-Id: <200412211834.iBLIYYZP003948@mail4.magma.ca>
To: <w3c-ietf-xmldsig@w3.org>

If the C14N algorithm chosen requires UTF-8 reserialization, then all should
be fine; but XML Signature does not require a C14N to be used that
reserializes as UTF-8, right?

While I would whole-heartedly endorse a C14N with UTF-8 reserialization, I
have to assume (that in cases like the one proposed), that might not always
be the case.  So, my general recommendation is that if one has an XML
Signature, that any possibly disruptive changes to it be undone, before
trying to validate it.   I don't know the details of Hans' case and it may
be very well that there is no problem with validating the "ISO-8859-1"
version.  (Actually, if ISO-8859-1 is a subset of UTF-8, then I would not
expect any problem.)  But for the general question of encoding to something
not a subset of UTF-8, I would advise caution with respect to the choice of
C14N algorithms or that the original form of the signature be reconstituted
before validation.

Regards, Ed
========================================
Ed Simon
(613) 726-9645
edsimon@xmlsec.com 
Interested in XML, Web Services, or Security?  Visit "www.xmlsec.com".
Now available!  "Web Services Security" published by Osborne (ISBN#
0072224711)


-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of John Boyer
Sent: December 21, 2004 12:53 PM
To: Ed Simon; w3c-ietf-xmldsig@w3.org
Subject: RE: Encoding of signed document question


Hi Ed,

Why would it 'very likely' not validate?

The C14N phase of core validation automatically re-serializes using UTF-8,
regardless of the encoding of the original document.

Cheers,
John Boyer, Ph.D.
Senior Product Architect and Research Scientist PureEdge Solutions Inc.


-----Original Message-----
From: Ed Simon [mailto:edsimon@xmlsec.com]
Sent: Tuesday, December 21, 2004 9:43 AM
To: w3c-ietf-xmldsig@w3.org
Subject: RE: Encoding of signed document question



I am under the impression that the document is signed already, and that you
want to store it in a different encoding.  What you do with a document after
it is signed does not matter to XML Signature, however if you try to
validate the signature before restoring the document to its original form,
the signature will very likely not validate.

Have I understood you correctly?

Regards,
Ed
========================================
Ed Simon
(613) 726-9645
edsimon@xmlsec.com
Interested in XML, Web Services, or Security?  Visit "www.xmlsec.com".
Now available!  "Web Services Security" published by Osborne (ISBN#
0072224711)


-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Hess Yvan
Sent: December 21, 2004 10:24 AM
To: 'w3c-ietf-xmldsig@w3.org'
Subject: Encoding of signed document question


Hi,

Do I have the right to store a signed XML document into a filesystem or a
database using a different encoding than "UTF-8"? In the context of my
application I have to save it using encoding "ISO-8859-1".
Is it conform to specifications ? What will be the incidence of a such
choice ?

Thanks for your answer.

Regards. Yvan Hess
Received on Tuesday, 21 December 2004 18:34:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:40 UTC