Re: Schema centric canonicalization - Need and status

Mike,
It is not binding to the schema that is the problem.  It is *using* 
the schema in the canonicalization process.  This is AFAIK currently 
not supported by XML DSig standards.

Well, you may use a reduced schema that does not alter instance data 
after validation.

thanx,
Anders

----Original Message----
From: mikemci@us.ibm.com
Date: Nov 16, 2005 4:30:36 PM
To: Josseline <anders.rundgren@telia.com>
Cc: w3c-ietf-xmldsig@w3.org, w3c-ietf-xmldsig-request@w3.org
Subj: Re: Schema centric canonicalization - Need and status

Why not just provide a single ds:Signature using standard 
canonicalization 
with one ds:Reference to the XML document and one ds:Reference to the 
Schema document?
Binds the document to the schema and therefore the schema provided 
content.




Josseline <anders.rundgren@telia.com> 
Sent by: w3c-ietf-xmldsig-request@w3.org
11/16/2005 10:17 AM
Please respond to
Josseline


To
w3c-ietf-xmldsig@w3.org
cc

Subject
Schema centric canonicalization - Need and status







Hi,
I'm working with standard for "Web Signing" [*].  In this work XML 
Schemas has been used extensively and together with XML DSig.

However, it seems that not even exclusive canonicalization is really 
fit for the task as it is not designed for schema-defined instance 
documents.  At least default attributes seems to break the current 
canonicalization algorithms.

Essentially I have two options.  Cripple schemas or invent a new 
algorithm.

None of these alternatives appear very tempting but I'm leaning 
towards the latter as the "patch" needed is fairly small.

Comments?

Anders Rundgren

*] The ability to in a browser sign a transation request or a static 
document, presented by a service provider.

Received on Wednesday, 16 November 2005 16:23:27 UTC