- From: Magnus Nyström <magnus@rsa.com>
- Date: Wed, 25 Feb 2009 12:48:58 +0100 (W. Europe Standard Time)
- To: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
- cc: XMLSec WG Public List <public-xmlsec@w3.org>
Konrad, I think it was precisely the cited lack of use of SC14n that caused us not to include such a note. See e.g. http://lists.w3.org/Archives/Public/public-xmlsec/2008Nov/0055.html -- Magnus On Tue, 24 Feb 2009, Konrad Lanz wrote: > http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/#avoid-default-schema-values > > Shouldn't the last sentence rather say the following: > > s/The net result being that what is verified will not be what was > signed./The net result being that what is verified will not be what was > signed and cause the signature to break./ > > Further as I mentioned before this Section deserves a note as follows, > which does not necessarily have to reference SC14n: > > Note: Schema Centric Canonicalization (SC14n) has been proposed to > canonicalize XML with respect to an XML Schema (default values, > namespace prefix desensitization, namespace attribute normalization, > data-type canonicalization, data-type canonicalization). Besides the > UDDI context however, ScC14n seems to be only used in MPEG-21. Otherwise > - to our knowledge - it has hardly been used, nor yet as of 2008 been > implemented by major vendors of XMLDSIG implementations [X]. > > BR > Konrad > > [X] http://tinyurl.com/MT-Konrad-Lanz-OASIS-DSS#nameddest=subsection.2.5.4 > > btw. Is there a reference somewhere in the minutes that indicates why > http://www.w3.org/2008/xmlsec/track/issues/75 is closed? > > Opened: 2008-11-18 > Closed: 2008-12-17 > > Could neither find in: > http://www.w3.org/2008/12/02-xmlsec-minutes > http://www.w3.org/2008/12/09-xmlsec-minutes > http://www.w3.org/2008/12/16-xmlsec-minutes > >
Received on Wednesday, 25 February 2009 11:49:45 UTC