- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Mon, 18 Aug 2008 10:39:58 -0400
- To: XMLSec WG XMLSec W3C <public-xmlsec@w3.org>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
There are many potential benefits from reducing complexity associated with canonicalization and signing, including reduced attack surface, improved performance, increased adoption due to understandability etc. To reduce complexity we will need to do less, and maybe reduce the number of options. If we reduce complexity in the large we may get bigger wins than optimizing details though eventually the two will go together. Can you please help list the assumptions we've made? Here are some possible ones: 1. The output of XML Canonicalization is well-formed XML [1] 2. The output of XML Canonicalization is XML that can be treated as if it were the source document, e.g. viewed, understood, used in place of the original document. 3. Canonicalization is idempotent - canonicalizing output of canonicalization leads to same result [1] 4. Full unicode support required, alternate expressions of same character are equivalent [1] 5. Use Infoset terminology [1] 6. Namespace prefix values must be preserved (e.g. the literal prefix string preserved) 7. Namespace information is required. http://www.w3.org/2007/xmlsec/ws/papers/20-thompson/ 8. QNames in context must be supported e.g. require namespace declarations used by QNames in content, even if namespace not used in elements/attributes 9. Signing can be performed on arbitrary node sets. How about node sets without an element node? 10. Transforms support both octet stream input and nodeset input etc As a WG we may need to schedule time to walk through C14N11 and Exclusive Canonicalization and list the implicit and explicit assumptions. Is there a WG member that could volunteer to do this in advance? Please share additional assumptions and comment on the list. regards, Frederick Frederick Hirsch, Nokia Chair XML Security WG [1] http://www.w3.org/TR/NOTE-xml-canonical-req
Received on Monday, 18 August 2008 14:40:50 UTC