ISSUE-59 (consistent single location to define c14n URIs): Canonicalization URIs are not defined in consistent location leading to confusion [Errata-C14N] from XML Security Working Group Issue Tracker on 2008-10-07 (public-xmlsec@w3.org from October 2008)

From: XML Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 7 Oct 2008 13:53:50 +0000 (GMT)
To: public-xmlsec@w3.org
Message-Id: <20081007135350.EB5FABF4F@nelson.w3.org>

ISSUE-59 (consistent single location to define c14n URIs): Canonicalization URIs are not defined in consistent location leading to confusion [Errata-C14N]

http://www.w3.org/2008/xmlsec/track/issues/59

Raised by: Frederick Hirsch
On product: Errata-C14N

Title: Canonicalization URIs are not defined in consistent location leading to confusion

Description: 

URIs for canonicalization algorithms are not defined in consistent and clear locations. As a result, it is possible for adopters to use an incorrect URI finding only some, but not all definitions. 

URIs are currently defined as follows:

(a) The XML Signature Recommendation (both first and second edition) defines URIs for inclusive canonicalization:

Identifier for REQUIRED Canonical XML 1.0 (omits comments):
http://www.w3.org/TR/2001/REC-xml-c14n-20010315
Identifier for Canonical XML 1.0 with Comments:
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

and in second edition also:
Identifier for REQUIRED Canonical XML 1.1 (omits comments):
http://www.w3.org/2006/12/xml-c14n11
Identifier for Canonical XML 1.1 with Comments:
http://www.w3.org/2006/12/xml-c14n11#WithComments

see 
http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-c14nAlg

(b) The Exclusive Canonicalization Recommendation defines the following URIs for exclusive canonicalization in section 4 ;

http://www.w3.org/2001/10/xml-exc-c14n#
http://www.w3.org/2001/10/xml-exc-c14n#WithComments

See http://www.w3.org/TR/xml-exc-c14n/#sec-Use

c) RFC 4051 defines a URI for minimal canonicalization (however this may not be adopted)

http://tools.ietf.org/html/rfc4051

The issue is the following:

a. The Canonical XML 1.0 and Canonical XML 1.1. Recommendations do not define the URIs for canonicalization, and more importantly do not indicate where they are defined.

b. The XML Signature Rec and the Canonical XML Recs have no indication of where the URI for exclusive canonicalization is defined.

c. The RFC is not well known.

Proposal:

We define a new REC that defines all the Canonicalization URIs, and update both Canonicalization 1.1, Exclusive Canonicalization and XML Signature to reference this document explicitly, noting that the URIs are defined in that document, in particular in the sections that used to define the URIs.

Remove URI definitions for canonicalization from the XML SIgnature and Canonicalization Recs.

Received on Tuesday, 7 October 2008 14:04:40 UTC