- From: XML Security Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Tue, 7 Oct 2008 13:53:50 +0000 (GMT)
- To: public-xmlsec@w3.org
ISSUE-59 (consistent single location to define c14n URIs): Canonicalization URIs are not defined in consistent location leading to confusion [Errata-C14N] http://www.w3.org/2008/xmlsec/track/issues/59 Raised by: Frederick Hirsch On product: Errata-C14N Title: Canonicalization URIs are not defined in consistent location leading to confusion Description: URIs for canonicalization algorithms are not defined in consistent and clear locations. As a result, it is possible for adopters to use an incorrect URI finding only some, but not all definitions. URIs are currently defined as follows: (a) The XML Signature Recommendation (both first and second edition) defines URIs for inclusive canonicalization: Identifier for REQUIRED Canonical XML 1.0 (omits comments): http://www.w3.org/TR/2001/REC-xml-c14n-20010315 Identifier for Canonical XML 1.0 with Comments: http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments and in second edition also: Identifier for REQUIRED Canonical XML 1.1 (omits comments): http://www.w3.org/2006/12/xml-c14n11 Identifier for Canonical XML 1.1 with Comments: http://www.w3.org/2006/12/xml-c14n11#WithComments see http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-c14nAlg (b) The Exclusive Canonicalization Recommendation defines the following URIs for exclusive canonicalization in section 4 ; http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#WithComments See http://www.w3.org/TR/xml-exc-c14n/#sec-Use c) RFC 4051 defines a URI for minimal canonicalization (however this may not be adopted) http://tools.ietf.org/html/rfc4051 The issue is the following: a. The Canonical XML 1.0 and Canonical XML 1.1. Recommendations do not define the URIs for canonicalization, and more importantly do not indicate where they are defined. b. The XML Signature Rec and the Canonical XML Recs have no indication of where the URI for exclusive canonicalization is defined. c. The RFC is not well known. Proposal: We define a new REC that defines all the Canonicalization URIs, and update both Canonicalization 1.1, Exclusive Canonicalization and XML Signature to reference this document explicitly, noting that the URIs are defined in that document, in particular in the sections that used to define the URIs. Remove URI definitions for canonicalization from the XML SIgnature and Canonicalization Recs.
Received on Tuesday, 7 October 2008 14:04:40 UTC