Re[2]: XML and canonicalization from rhimes@nmcourt.fed.us on 1999-10-28 (w3c-ietf-xmldsig@w3.org from October to December 1999)

From: <rhimes@nmcourt.fed.us>
Date: Thu, 28 Oct 1999 12:56:01 -0600
To: <w3c-ietf-xmldsig@w3.org>
Message-Id: <9910289411.AA941136994@nmcourt.fed.us>

FWIW, I believe we need to default to a particular canonicalization (on both the
signer and verifier side.)  The problem just doesn't look that tough to
implement to me (attribute ordering, namespace substitution, etc.)  Sure, some
vendors will screw it up (an hopefully we won't screw up the spec), but
applications can certify and recommend word processors, parsers, etc. for their
purpose, just as they do with browsers now.  Signatures either pass or fail, so
certification should be relatively straight forward (it would be nice if a
standards body tackled certification.)  Of course, an application should be able
to specify null or other canonicalization for its isolated (thus insulated)
purpose.  My problem is with the larger world.

In the scenario I hope to be dealing with in a few years, an attorney would use
a word processor to create and digitally sign an XML document for submission to
the court.  As a federal court, we don't believe we should dictate that an
attorney use a particular word processor for a filing.  We can, however, require
that they follow reasonable standards (for example, a document that conforms to
a particular DTD.)  

On the court side, I want to be free to choose or switch DOM-based XML parsers
without fear of breaking all the signatures (incidentally, it would be very
painful to use the "source" stream for this purpose, that is, DOM + some dual
hack.)  I have little faith that signatures will remain viable cross-platform
without at least minimal canonicalization.  Note also that it doesn't make sense
to me to tell attorneys they must set a particular "canonicalization mode" in
their word processors, if there ever is such a beast.

Thanks,
Rich

____________________Reply Separator____________________
Subject:    Re: XML and canonicalization  
Author: <w3c-ietf-xmldsig@w3.org>
Date:       10/27/99 9:46 PM


Consensus?  At this point, I think there is a rough consensus that
Null, Minimal, and at least one XML canonicalization and application
specified canonicalziations should be optionally available for data.
But there isn't a consensus on whether canonicalization can be fixed,
and if so at what, or defaulted, and if so to what, for SignedInfo.

Received on Thursday, 28 October 1999 14:55:25 UTC