RE: XML and canonicalization

Don,

I strongly agree with both of your points.  
I definitely want to keep something like the
http://www.w3.org/yyyy/mm/Signature/core namespace.  

My goal was to keep simplify the results of the
canonicalization process by
enforcing the use of the XML Signature default name
space but, as Jim S. rightly points out, 
the W3C Canonicalization spec does not allow
default namespaces.  In a sense, I may have
been trying to introduce some level of
"syntax constraint" into the canonicalization 
process.

Anyway I've been looking at James Clark's
implementation of the W3C XML Canonicalization
draft.  In my view,
if it is reasonable to expect that applications
will have access to code that accurately implements
the W3C XML Canonicalization spec, then we can
consider using it for <SignedInfo>.  However,
if we expect
that a significant number of applicatons will have
to come up with their own canonicalization code,
then we have to be wary of how complicated the
canonicalization process becomes.

Regards, Ed
----------------
Don wrote...

What you say is fine for the exampe you give but

(1) people will want to embed stuff from other namespaces so we can't
just drop all prefixes and namespaces.  We could specify to drop the
http://www.w3.org/yyyy/mm/Signature/core namespace (or whatever the
namespace is for the v1 standard) and its corresponding prefix, if
any, leaving only other people's namespaces and their prefixes to be
canonicalized but

(2) thus far we have been going with the idea that, instead of a
version number, an XML DSIG Version 2 (or 1.1 or 3 or ...) would be
distinguished by using a different namespace.  While I suppose we
could still supress the XML DSIG v1 namespace, it doesn't really seem
worth it to make such a special case when as soon as there is a v2 the
namespace and prefix will have to spring back into presence in the
canonicalized form.

Donald

Received on Monday, 25 October 1999 14:19:17 UTC