W3C home > Mailing lists > Public > www-tag@w3.org > February 2005

Re: C14N isn't widely used?

From: Rich Salz <rsalz@datapower.com>
Date: Thu, 24 Feb 2005 16:28:49 -0500
Message-ID: <421E4711.3090607@datapower.com>
To: Norman Walsh <Norman.Walsh@Sun.COM>
CC: www-tag@w3.org

Norman Walsh wrote:
> Rich Salz says[1]
> 
>    Also c14n can already be broken by xmlns, so this doesn't create a
>    new problem, it just makes an existing one bigger. Viewed
>    parochially, web services use exc-c14n anyway, so let's use xml:id.
> 
> Is it true that Exec-C14N is actually the more widely deployed spec?

For web services, the answer is a resounding yes.

I don't know of any XML signature library that implements c14n without 
also implementing exc-c14n.  Among the groups saying use exc-c14n and 
not c14n are WS-Security, SAML, XACML, and the WS-I basic profile.

You really cannot use c14n if you are signing something that someone may 
put into a SOAP message.

Hope this helps.

	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
Received on Thursday, 24 February 2005 21:28:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:32 GMT