Canonical EXI application

Dear XML security experts and EXI fellows,

As you may have noticed the EXI working group recently published the first public working draft for "Canonical EXI" [1] and is currently working on the second version.

Canonical EXI is meant to offer the same properties as Canonical XML and allows comparisons of XML documents where plain-text XML is difficult to handle due to various reasons (e.g., document size and processing overhead).

One prominent application field for Canonical EXI is XML signature. During signature generation, the digest is computed over the canonical EXI form. The canonicalization process of EXI bases upon the knowledge of the used EXI options [2] which is an optional part of the EXI header. These options communicate the various EXI options that have been used to encode the actual XML information with EXI.

Hence, the EXI options are crucial to be known (e.g., out-of-band if not present in the EXI stream) by the recipient to successfully validate the signature.  We see two independent layers.

1) What gets hashed
We would tend to recommend that the hash is generated for the Canonical EXI stream taking also into account EXI options.

One issue in that regard is the schemaId in EXI.  The EXI specification does not dictate the syntax or semantics of this field. Hence we assume that applications take care of the appropriate use.

2) How to exchange and share the EXI options within XML Signature
Based on feedback and internal discussions the question arises whether and how the EXI working group may facilitate sharing the EXI options.

We have been identifying possible approaches (exclusively a, exclusively b, or permit both a and b).

a) EXI options within XML signature
The EXI options shall be exchanged within XML signature (for example as values within the <CanonicalizationMethod> element).

b) EXI options within EXI canonicalization The EXI options ought to be a mandatory part of the EXI stream.


Depending on the point of view (e.g., security vs. complexity) we can see various pros and cons and would like to get your feedback on our reasoning. Also we are keen to know whether you think the work should be handled within the EXI specification and/or the XML signature work.

Thank you very much for any insight,

Daniel
for the EXI Working Group

[1] http://www.w3.org/TR/2013/WD-exi-c14n-20130924/
[2] http://www.w3.org/TR/exi/#options

Received on Wednesday, 5 February 2014 09:17:45 UTC