- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Thu, 25 Sep 2008 16:10:40 -0400
- To: XMLSec WG Public List <public-xmlsec@w3.org>
fyi, from a public list, see item #3. > 3. Canonicalization is difficult and typically 80% of digital > signature > failures derive from canonicalization bugs. Of those 95% are > XML namespace related (curse the inventor of XML namespaces), and > 4% are whitespace related. http://lists.oasis-open.org/archives/security-services/200809/msg00054.html regards, Frederick Frederick Hirsch Nokia Begin forwarded message: > From: "ext sampo@symlabs.com" <sampo@symlabs.com> > Date: September 25, 2008 3:27:06 PM EDT > To: "Paul Madsen" <paulmadsen@rogers.com> > Cc: "oasis sstc" <security-services@lists.oasis-open.org> > Subject: Re: [security-services] Query submitted to saml.xml.org > Reply-To: sampo@symlabs.com > > Paul Madsen wrote: >> http://saml.xml.org/forum/calculating-digest-of-an-authentication-statement >> >> Dear Sirs, my name is Gianluca from Italy >> I'm trying to calculate the Digest value of a SAML Authentication >> STatement whith the SHA-1 algorithm. Let us suppose that we are >> dealing >> with a string representing the following node: >> >> <saml:AuthenticationStatement> >> <saml:Subject> >> <saml:NameIdentifier>GIANLUCA</saml:NameIdentifier> >> </saml:Subject> >> </saml:AuthenticationStatement> >> >> When I try to calculate SHA-1 with the function b64_sha1(str2Digest) >> what >> exactly should the string str2Digest contain? I mean it should be >> equal to >> "< >> saml:AuthenticationStatement >> ><saml:Subject><saml:NameIdentifier>GIANLUCA< >> /saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement>" >> or only "GIANLUCA" or ....what else? > > Its a pity he did not provide email address, but lets hope this > reaches > him anyway. > > 1. There is no univesally agreed way to digest Authentication > Statements > 2. "Universally" agreed way to digest XML in general is exc-c14n > (exclusive > canonicalization) [XML-EXC-C14N]. This method is used by all > certified > SAML implementations. It is also the method used by digital > signatures [XMLDSIG]. > 3. Canonicalization is difficult and typically 80% of digital > signature > failures derive from canonicalization bugs. Of those 95% are > XML namespace related (curse the inventor of XML namespaces), and > 4% are whitespace related. > 4. For what you are apparently trying to do, it is important to > digest the entire canonicalized Authentication Statement. > If the question had been about canonicalizing the NameID, it > would still be important to digest the entire canonicalized > Name Identifier as the actual value in isolation is meaningless. > You need the identifier type and namespace qualification > for the digest to be meaningful. > > [XML-C14N] XML Canonicalization (non-exclusive), > http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: > "Canonical XML > Version 1.0", W3C Recommendation, 15.3.2001, > http://www.w3.org/TR/xml-c14n, RFC3076 > > [XML-EXC-C14N] Exclusive XML Canonicalization, > http://www.w3.org/TR/xml-exc-c14n/ > > [XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation, > 12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275 > > Cheers, > --Sampo
Received on Thursday, 25 September 2008 20:12:14 UTC