- From: <Frederick.Hirsch@nokia.com>
- Date: Wed, 7 Sep 2011 15:06:55 +0000
- To: <cantor.2@osu.edu>
- CC: <Frederick.Hirsch@nokia.com>, <steve.derose@openamplify.com>, <jboyer@PureEdge.com>, <w3c-ietf-xmldsig@w3.org>, <public-xmlsec@w3.org>, <cmsmcq@blackmesatech.com>, <ht@cogsci.ed.ac.uk>, <chris@w3.org>
Thanks, Scott for the clarification. Apologies Steve if I misread the question. The original Canonical XML requirements stated that the result of Canonical XML should be well-formed (section 3, number 2): http://www.w3.org/TR/1999/NOTE-xml-canonical-req-19990605 XML Security 1.1 requirements discusses the changes needed but did not change this requirement, http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html XML Security 2.0 modified this requirement, explicitly stating that "Canonical output need not be valid XML" (section 3.3.2.2) http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs2/Overview.html#modified-requirements We'll have to look at this more carefully. regards, Frederick Frederick Hirsch Nokia On Sep 7, 2011, at 10:57 AM, ext Cantor, Scott wrote: > On 9/7/11 10:51 AM, "Frederick.Hirsch@nokia.com" > <Frederick.Hirsch@nokia.com> wrote: >> >> It is the job of an XML document author to produce well-formed XML >> before any considerations of signing/encryption and XML Canonicalization. >> Any required escaping happens before security processing, and there are a >> variety of choices that can be made >> for such escaping, as well as other representation of information. >> Canonical XML is agnostic to these choices. > > I think his point is that in the process of following the spec, c14n > replaces those character references with the actual characters. So I think > the result of that is non-well-formed. I can't recall if it's an explicit > guarantee of c14n that the output be well-formed. I suspect it was a goal, > but not a guarantee. If so, it's not a bug, but perhaps something to > address in 2.0. > > -- Scott >
Received on Wednesday, 7 September 2011 15:09:43 UTC