- From: Scott Cantor <cantor.2@osu.edu>
- Date: Thu, 2 Jul 2009 11:10:08 -0400
- To: "'Edgar, Gerald'" <gerald.edgar@boeing.com>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Edgar, Gerald wrote on 2009-07-01: > WS-I BSP addresses Transforms as one unit and references a number of > specifications from the W3C in specifying how to form the transform > structures, but these are based on XML-DSIG 1.0. In DSIG 1.1 > (http://www.w3.org/TR/2009/WD-xmldsig-simplify-20090226/) transforms > are broken up into three sections "Selection, Transforms and > Canonicalization". It's 2.0 where we want to change things, not 1.1, but yes, this is going to impact every downstream spec that tried to simplify the situation. As I've been trying to convince people in the XRI TC, the profile of XMLSig that SAML uses is essentially an example of the same kind of simplification that Prateek is proposing, just expressed in terms of constraints on the original syntax and transforms, rather than bundled into a new transform. You limit yourself to Enveloped + Excl C14N, and allow only a single reference to an ID-based element at the root of a subtree. That lets you implement the simplified excl c14n algorithm described in that spec, which in turn is roughly similar to what we're trying to do in 2.0. So anything that was sort of on the road to simplifying things via profile has to either stick with that, or rev to rely on the new approach. My expectation is that some people (ok, me) will implement new signature libraries that implement only this constrained approach (probably without XPath as well), and we'll special-case the old profile(s) to support it alongside the new model. -- Scott
Received on Thursday, 2 July 2009 15:10:39 UTC