Fwd: [widgets] W3C Widgets Digital Signatures implementer feedback from Frederick.Hirsch@nokia.com on 2011-01-26 (public-xmlsec@w3.org from January 2011)

From: <Frederick.Hirsch@nokia.com>
Date: Wed, 26 Jan 2011 15:39:40 +0100
To: <public-xmlsec@w3.org>
CC: <Frederick.Hirsch@nokia.com>
Message-ID: <70E67F56-7920-48AB-A04C-762E2C9963F0@nokia.com>

Proposal below to simplify "Digital Signatures for Widgets" to only require C14N and not C14N11, see below. 

The current Digital Signatures for Widgets CR draft is at http://www.w3.org/TR/widgets-digsig/

The draft currently states:

[[

A ds:Reference to same-document XML content MUST have a ds:Transform element child that specifies the canonicalization method. Canonical XML 1.1 MUST be specified as the Canonicalization Algorithm for this transform. A ds:Reference that is not to same-document XML content MUST NOT have any ds:Transform elements.

An implementation SHOULD be able to process a ds:Reference to same-document XML content when that ds:Reference does not have a ds:Transform child element, for backward compatibility. In this case the default canonicalization algorithm Canonical XML 1.0 will be used, as specified in XML Signature 1.1.

Note: The relevant section in XML Signature 1.1 is section 4.4.3.2, "The Reference Processing Model". This section states "Unless the URI- Reference is such a 'same-document' reference , the result of dereferencing the URI-Reference MUST be an octet stream. In particular, an XML document identified by URI is not parsed by the signature application unless the URI is a same-document reference or unless a transform that requires XML parsing is applied." In the same section the specification notes, "In this specification, a 'same- document' reference is defined as a URI-Reference that consists of a hash sign ('#') followed by a fragment or alternatively consists of an empty URI…" [XMLDSIG11].

]]

If you have implementation experience or comment you might wish to respond on the public-webapps list.

regards, Frederick

Frederick Hirsch
Nokia



Begin forwarded message:

> From: ext Marcos Caceres <marcosc@opera.com>
> Date: January 26, 2011 8:42:45 AM EST
> To: public-webapps WG <public-webapps@w3.org>
> Subject: [widgets] W3C Widgets Digital Signatures implementer feedback
> 
> Dear Web Apps WG,
> Opera would like to provide some feedback based on our implementation 
> experience of the Widgets Digsig specification.
> 
> Generally, we found that the specification is implementable but have 
> significant concerns about the requirement on XML Canonicalization 1.1. 
> Basically, we found that in practice you don't need it for this version 
> of the spec as widget signatures do not make use of the things 
> Canonicalization 1.1 addresses.
> 
> We would like to propose the specification be changed to use XML 
> Canonicalization 1.0 throughout the specification.
> 
> If other implementers have found the same thing (i.e., they don't 
> require Canonicalization 1.1), then please lets start a discussion about 
> what changes need to be made to the specification and the potential 
> impact of using Canonicalization 1.0 exclusively throughout.
> 
> If we get rapid agreement, then we can move to updating the spec, 
> changing the test cases, and republishing as a new LC ASAP.
> 
> Kind regards,
> Marcos
>

Received on Wednesday, 26 January 2011 14:40:27 UTC