- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Thu, 06 Apr 2000 18:57:03 -0400
- To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
The Core WG has been trying to decide what to do with the Canonical XML spec as they have many deliverables on their plate and presently we are the only consumer (though I believe we are only the first, there will be many other applications with requirements similar to our own.) I hope they will produce another draft soon, and there is sometimes talk of them handing the spec off to us, but nothing conlusive so far. However, I did try to update them on my view of this WG's view of that spec. Any thoughts are appreciated. Forwarded Text ---- Date: Thu, 06 Apr 2000 18:50:56 -0400 To: w3c-xml-core-wg@w3.org From: "Joseph M. Reagle Jr." <reagle@w3.org> Subject: XML Signature use of Canonical XML (Was: Minutes for XML Core WG telcon of 2000 Apr 5) [Note: I had an agreement with the Core's predessor (Syntax) for cross-posting any c14n relevent information to the public list. I'm not cc'ing this, but will make this information available in some way -- I'd like to forward it if I could have a similar understanding with the Core WG. Also, this is only my summary of the WG's position and likely direction, but not a formal/endorsed statement.] >... The XML Signature WG's approach on the c14n issue has been mixed because of a difference between those who planned to approach the processing of XML in the Infoset/DOM manner (that requires node serialiazation and canonicalization), and those that wanted to process it merely as characters (that required some line feed and CR canonicalization at most.) Our compromise was to require "minimal" and strongly recommend XML Canonical. However, during last call (which ended yesterday) there's been substantive call for removing minimal all together based on implementation experience [1], though the security concerns associated with XML Canonical are still raised [2]. I expressed my view that "We've been trying to play agnostic between XML as XML, and XML as a character sequence, but I believe the spec should follow the implementations, which seem to be adopting the XML toolkit (XML as XML) route." [3] Consequently, the advancement of Canonical XML is very important to us even though we still have our own difficult consensus/balancing act between XML-as-XML and something some security folks are comfortable with. I'm looking forward to the next draft of the spec that resolves some of the other comments sent during last call [4] (though I know the Core WG is very busy). Also, the Signature WG identified in our comments [5] that we're going to have to figure out some way canonicalize XML fragments (i.e. serialized returns of XPath), though I'm beginning to wonder if this would be a useful feature to include in the Canonical XML spec itself? Gregor Karlinger has suggested that the fragments be wrapped in a declaration and a specific element from the Signature element type in our case, though that could be generalized. [6] [1] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0214.html [2] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0246.html [3] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0257.html [4] http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/2000Mar / [5] http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/2000Feb /0004.html [6] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0156.html End Forwarded Text ---- _________________________________________________________ Joseph Reagle Jr. W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Thursday, 6 April 2000 18:57:17 UTC