- From: Taki Kamiya <tkamiya@us.fujitsu.com>
- Date: Wed, 3 Jun 2009 11:32:25 -0700
- To: "'Paul Pierce'" <prp@teleport.com>, <public-exi-comments@w3.org>
Hi Paul, Preserve.lexicalValues is one of the EXI options which allows us to remain compatible with existing XML security standards. We currently specify it as a best practice when using EXI with existing XML security standards. Please note that in every EXI option configuration, EXI enables the reconstruction of the same infoset after round-trip (either XML->EXI->XML or EXI->XML->EXI) to the degree required by the fidelity setting indicated by the option. What this means is that it is still necessary for data values to be able to round-trip to the text representation without loss of precision. We appreciate your perspective on the Best Practices document as it relates EXI to the use of XML Security in particular. When the EXI WG started working on the Best Practices document, XML Signature/Encryption specifications had already been published as REC. It would have been irresponsible if we did not describe the way EXI can be used with the existing XML Security specifications. If we were allowed to start from scratch without such existing assets, we might have chosen some other ways similar to the one that you suggested, as the recommended method. It is precisely because of this legacy constraint that we feel that we are obliged to pursue the possibility of EXI C14N jointly with XML security WG in order to make sure the ideal practice will be eventually determined and become available. We agree that when an EXI C14N standard exists and is widely implemented, we can recommend it as a best practice. However, at this point, people are using XML C14N, so we need to provide best practices for using EXI and XML C14N together. This doesn't mean we are saying that using XML C14N is a best practice. We just providing best practices for using EXI and XML Security together because we know people will need to do that today. Although we intend to maintain the current description in the Best Practices document for now, we plan to allude the possibility of EXI C14N -- as a more efficient option than the current XML C14N. Regards, Taki Kamiya (for the EXI Working Group) -----Original Message----- From: public-exi-comments-request@w3.org [mailto:public-exi-comments-request@w3.org] On Behalf Of Paul Pierce Sent: Wednesday, May 20, 2009 11:19 PM To: Taki Kamiya; EXI Comments Subject: "RE: Support of IEEE float; Canonical XML" > At the same time, it is incumbent and no less important for EXI to be compatible > with the XML stack as it exists today which is entirely built on top of XML > Infoset. For this reason, EXI enables the reproduction canonicalized XML from > EXI given an adequate fidelity option, as it is mentioned in EXI Best Practices > document [2]. It seems possible to specify that the option Preserve.lexicalValues would impy that floats (at least) are stored in character form. This would free the standard to use any reasonable binary representation when Preserve.lexicalValues is not present, while preserving the ability to reproduce canonical XML when Preserve.lexicalValues is set. The practices outlined in Best Practices with respect to security are, as noted in my last comment, actually very poor practice. To fix this for XML signatures it will be necessary, as you said, to identify a set of canonical EXI representations (with identifying URI's) based on specified sets of options (probably none of which include Preserve.lexicalValues). For encryption it will be necessary to identify or specify a mechanism for encrypting EXI fragments instead of just encrypting XML and stuffing the result into an EXI stream. Once these tasks are complete, it will be possible to rewrite the Best Practices security section without mentioning canonical XML or the Preserve.lexicalValues option, and so that it reflects good practice in security. (None of this would affect the ability to generate repeatable canonical XML using Preserve.lexicalValues, but since thats not good for anything, especially if you have a lot of data, it will not be necessary to mention it in Best Practices, nor will it be necessary to worry much about its efficiency.) If its necessary to complete EXI before defining canonical EXI (dangerous, in my opinion) then as a bare minimum it is important to remove the requirement in Best Practices that Preserve.lexicalValues be used regardless of the method of canonicalization. Paul Pierce
Received on Wednesday, 3 June 2009 18:33:13 UTC