W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2005

Re: Canonical XML revision

From: Jose Kahan <jose.kahan@w3.org>
Date: Thu, 15 Dec 2005 17:59:58 +0100
To: John Boyer <boyerj@ca.ibm.com>
Cc: w3c-ietf-xmldsig@w3.org
Message-ID: <20051215165958.GE2569@rakahanga.inrialpes.fr>

Hi John,

Here's my $0.02 as a newby user of XML-SIG.

IMO, using a new algorithm identifier makes sense. The programmatic
and update effort will have to be done anyway. The xml:id spec states
that using C14 1.0 will produce invalid xml:id attribue values that are
not unique.

If you don't change the algorithm identifier, you can arrive to a
situation where someone signs an XML document that includes xml:id 
using C14 1.1 (I'm not sure how it will be called). If someone uses a 
legacy toolkit, the signature won't be valid. How to catch and 
understand this error may cost lots of time to many people.

On the other hand, if when you create the signature, you use the new
algorithm identifier, then the legacy toolkit can warn you right away that
it doesn't understand C14 1.1. This may prompt me to check if there's a
newer version of the toolkit. This somehow is more comfortable than
"invalid signature" with no other reason.

This having been said, the xml:id note states that there no such problem
with EXCL C14 1.0. As far as I understand, most people advise to only use
EXCL C14.0, rather than C14 1.0 in digital signatures.

I'd be curious to know if this is really the case. 

If yes, maybe it would make more sense to have an errata or a revised 
edition of the XMLSIG spec that says that the recommended XML 
canonicalization algorithm is EXCL C14.0.

I'm interested in your feedback.

-jose
Received on Thursday, 15 December 2005 17:00:48 GMT

This archive was generated by hypermail 2.2.0+W3C0.50 : Thursday, 15 December 2005 17:00:49 GMT