RE: XML and canonicalization from Donald E. Eastlake 3rd on 1999-10-27 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Wed, 27 Oct 1999 12:35:06 -0400
To: w3c-ietf-xmldsig@w3.org
Message-Id: <199910271635.MAA06886@torque.pothole.com>

Message-Id: <3.0.5.32.19991025154858.00b72360@localhost>
Date: Mon, 25 Oct 1999 15:48:58 -0400
To: Ed Simon <ed.simon@entrust.com>
From: "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
In-Reply-To: <01E1D01C12D7D211AFC70090273D20B101C4A8D8@sothmxs06.entrust
Subject: RE: XML and canonicalization

> At 14:17 99/10/25 -0400, Ed Simon wrote:
>  >consider using it for <SignedInfo>.  However,
>  >if we expect
>  >that a significant number of applicatons will have
>  >to come up with their own canonicalization code,
>  >then we have to be wary of how complicated the
>  >canonicalization process becomes.

Jim Clark has canonicalization code.  I know there is canonicalization
code in IBM that will work with any DOM and I believe that code will
be made open source.  I think there will be multiple interoperable
open implementations of XML canonicalization.

> To restate this point, the question is how "standardized" (how well does the
> spec read, how easy is it to write implementable/interoperable code from it)
> will this feature be, and do we need to place its standardization on the
> critical path. I feel more confident we can grapple c14n than we can
> Xpath/Xptr/XSLT-dereferencing-processing-model in the short term, however I
> don't believe either is an absolutely necessary feature that should be
> required.
> 
> And the feature we are speaking of is I sign an XML document, it goes
> through numerous intermediate processors who may re-arrange the namespaces
> but otherwise don't change the content I signed, and my signature still
> works. This is very useful, but I don't think it is critical since we can
> orthogonally serve the community of people that don't need this feature
> sooner rather than later.

Nothing so complex is needed.  For example, it is entirely conformant
with the XML standards for any XML application to output, for
readability or other reasons, an attribute value with leading or
trailing white space, such Id=" foobar ". It is required for any XML
application that is conformant with the standards to read that as
Id="foobar".  Thus, unless appropriate steps are taken, the simple act
of printing XML by a conformant XML application and the reading of
that XML by a second XML standards conformant application can break
signatures.

> _________________________________________________________
> Joseph Reagle Jr.   
> Policy Analyst           mailto:reagle@w3.org
> XML-Signature Co-Chair   http://w3.org/People/Reagle/

Donald
=====================================================================
 Donald E. Eastlake 3rd   +1 914-276-2668     dee3@torque.pothole.com
 65 Shindegan Hill Road, RR#1  +1 914-784-7913(work)  dee3@us.ibm.com
 Carmel, NY 10512 USA

Received on Wednesday, 27 October 1999 12:35:10 UTC