Re: Soap Message Canonicalization (SM-C14N) from Rich Salz on 2002-02-15 (xml-dist-app@w3.org from February 2002)

From: Rich Salz <rsalz@zolera.com>
Date: Fri, 15 Feb 2002 17:23:17 -0500
To: Christopher Ferris <chris.ferris@sun.com>
CC: xml-dist-app@w3.org
Message-ID: <3C6D8A55.80509@zolera.com>

> It could use some examples to demonstrate before and
> after examples (XML-C14N[1] does this).


I thought of examples, and will make some -- is it okay to use XML 1.0 
serialization, or should I use some infoset notation?

> I agree with Henrik regarding his comments on lexical ordering
> [2]. This may require a little more noodling.


I tried to make it more explicit how the ordering is done:
"When targetted to multiple element information items, each is processed
as described above.  The serialized values of the elements (and their
content) are then sorted lexigraphically, and a single newline (&#A)
is inserted between each one.  Note that if no elements have the same
QName attribution information item, then it is possible to sort before
doing individual canonicalization, allowing streaming output."

>     1) do we want to define SOAP c14n in terms of Infoset so that
>     it applies to all possible serializations?
>     2) does this c14n algorithm apply exclusively in terms
>     of XML1.0 serializations of the Infoset?


So far, the only stated purpose of SM-C14N is to produce a canonical 
bytestream for crypto operations, so I'm inclined to #2.  I'd be loathe 
to write an infoset version of standard XML-C14N, which this 
incorporates by reference.

Attached is the tweaked version, for your weekend reading pleasure.
	/r$



-- 
Zolera Systems, http://www.zolera.com
Information Integrity, XML Security

This is the second version of SM-C14N.  It has the following changes:
    Fix to "remove actor attribute" misunderstanding
    Explain sorting is on full serialized element


Soap Message Canonicalization (SM-C14N) (v.2)
---------------------------------------

Because intermediaries have some flexibility in serializing messages that
pass through them, it is necessary to define a canonicalization method so
that all semantically equivalent serializations will render identically.
This is necessary, e.g., to generate a message digest for a digital
signature, maintain a replay cache, and so on.

This mechanism is called SOAP Message Canonicalization (SM-C14N).
It is identified by the following URI: [[value needed]].  SM-C14N can be
targetted at an individual header or body element, a set of such elements,
or an entire SOAP message, the result is an XML1.0 byte-stream serialization
suitable for input into a cryptographic hash, etc.

When targetted to an individual element information item, the following
steps are performed:
1.  Any namespace declarations that are inherited from the outer SOAP
    element, and used within the element, are treated as if they were
    declared by the element.
2.  if the SOAP mustUnderstand attribute information item is present
    with a non-false value, the value is taken to be "1"
3.  if the SOAP mustUnderstand attribute information item is present
    with a false value, the attribute information item is ignored
4.  if the SOAP actor attribute information item has the value of
    <<the well-known URI for the ultiamte recipient>>, the attribute
    information item is ignored.
5.  The element is then processed according to XML-C14N, and that
    serialization is taken to be the result.

When targetted to multiple element information items, each is processed
as described above.  The serialized values of the elements (and their
content) are then sorted lexigraphically, and a single newline (&#A)
is inserted between each one.  Note that if no elements have the same
QName attribution information item, then it is possible to sort before
doing individual canonicalization, allowing streaming output.

When targetted to a SOAP Header or Body element information item, the
result is computed as if the canonicalization was applied only to all
the immediate child elements of the SOAP element.  Note that the SOAP
Header or Body element information item itself is not directly used.

When targetted to a SOAP message information item, the result is
calculated as the concatenation of targetting the SOAP Header element
information item, a single newline, and targetting the SOAP Body element
information item.  Note that the SOAP Message element information item
itself is not directly used.
	-30-

Received on Friday, 15 February 2002 17:21:43 UTC