Re: XML Signature use of Canonical XML from Dan Connolly on 2000-04-07 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: Dan Connolly <connolly@w3.org>
Date: Fri, 07 Apr 2000 18:09:46 -0500
To: Ed Simon <ed.simon@entrust.com>
CC: "'w3c-xml-core-wg@w3.org'" <w3c-xml-core-wg@w3.org>, "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
Message-ID: <38EE6ABA.F681316E@w3.org>

Ed Simon wrote:
[...]
> We also need to address the concerns expressed (eg.
> "http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JanMar/0281.html")
> 
> of whether "Canonical XML" will stand up to a security analysis.
> To fully understand the Canonical XML spec (as short as it is), does require
> that one be very familiar with the XML spec, character models, and
> namespaces.  I expect these topics will generally be new areas to
> the cryptographic community and we need to consider that.

Perhaps. But perhaps the shortest path to the target is to cut
out the namespace stuff and character model stuff out of the
c14n algorithm. Rewriting namespace prefixes causes
all sorts of headaches:

	"I hate to say that I told you so, but... -Tim"
	-- Tim Bray
	Re: c14n messes up qnames in attribute values
	From: Tim Bray (tbray@textuality.com)
	Date: Mon, Mar 20 2000 
http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/2000Mar/0004.html

And I maintain that character normalization is orthogonal to
element-and-attribute c14n.

It was suggested to me (by Noah Mendelsohn) that we could take
namespace prefix munging out of the c14n algorithm, but document
a "namespace normalized form" as an appendix or something; this
appendix wouldn't specify an algorithm with inputs and ouputs,
but rather just a test/constraint on documents ala

	A document is in namespace-normal form iff...

And the same goes for character normalization. We wouldn't specify
an algorithm with inputs and outputs, but just a constraint
that applications could require or not; call it
character-normal form or some such.

Perhaps DSig would require its input to be in character-normal
form to avoid the case of a user being unable to see
birthday-attack changes between o-umlaut-precomposed and
o-umlaut-decomposed.

I don't think you need to require namespace-normal form
for DSig, but I haven't thought through the risks in
detail yet.

Bottom line: if the DSig minimal algorithm is to lean,
and the algorithm in
	http://www.w3.org/TR/2000/WD-xml-c14n-20000119
is too fat, perhaps we could come to consensus on
something in between.

-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/

Received on Friday, 7 April 2000 19:13:00 UTC