ISSUE-183: Constraining 2.0 c14n algorithm

So, the question is whether 2.0 mode signatures (in either Reference,
SignedInfo, or both) should lock down c14n to just the newly defined method,
or leave it open.

Currently we say nothing about SignedInfo, but Pratik indicated that sec 6.5
of the draft locks down Reference c14n to require the c14n 2.0 algorithm
only.

My proposal is that we do not restrict this in either Reference or
SignedInfo, but leave it open, subject to the constraint that for Reference
c14n, only algorithms defined for use with XML Signature 2.0 will work.
That's simply a consequence of the input interface (the list of subtrees
plus exclusions, etc.)

My reason for this is future-proofing, basically. Of course, c14n 2.0 would
be the only MTI algorithm.

As an alternative, if we leave the language as is, and require c14n 2.0 for
References, I believe we should make sure that the same is true for
SignedInfo. There's no use case for having a different rule there.

-- Scott

Received on Tuesday, 27 July 2010 16:00:40 UTC