Re: XML Signature use of Canonical XML from Martin J. Duerst on 2000-04-08 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: Martin J. Duerst <duerst@w3.org>
Date: Sat, 08 Apr 2000 14:15:05 +0900
To: Dan Connolly <connolly@w3.org>, Ed Simon <ed.simon@entrust.com>
Cc: "'w3c-xml-core-wg@w3.org'" <w3c-xml-core-wg@w3.org>, "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
Message-Id: <4.2.0.58.J.20000408130253.032ab380@sh.w3.mag.keio.ac.jp>

At 00/04/07 18:09 -0500, Dan Connolly wrote:

>Perhaps. But perhaps the shortest path to the target is to cut
>out the namespace stuff and character model stuff out of the
>c14n algorithm. Rewriting namespace prefixes causes
>all sorts of headaches:
>
>         "I hate to say that I told you so, but... -Tim"
>         -- Tim Bray
>         Re: c14n messes up qnames in attribute values

Yes, but the real problem here is the spread of qnames
all over the place, not the c14n algorithm. Using qnames
instead of URIs replaces a universal identifier that can
be treated independently anywhere by something that is
very fragile because it depends on an indirection, on
additional information, and on very complex rules for
how to find the actual URI. Qnames are dangerous, and
the longer we go, the more we will find out.

So it's not rewriting namespaces that causes problems,
it's the unrestricted use of qnames by people who don't
understand the consequences that is the problem.

>         From: Tim Bray (tbray@textuality.com)
>         Date: Mon, Mar 20 2000
>http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/2000M 
>ar/0004.html
>
>And I maintain that character normalization is orthogonal to
>element-and-attribute c14n.

As I have explained in a mail to the XML core WG, that's not
exactly the case. But based on new insights, the I18N WG/IG
has already made clear that in particular for digital signatures,
xml canonicalization and character normalization should be
considered separately.

>It was suggested to me (by Noah Mendelsohn) that we could take
>namespace prefix munging out of the c14n algorithm, but document
>a "namespace normalized form" as an appendix or something; this
>appendix wouldn't specify an algorithm with inputs and ouputs,
>but rather just a test/constraint on documents ala
>
>         A document is in namespace-normal form iff...

Which way to specify (procedural or as conditions on the result)
is rather independent of what to specify. The current canonicalization
algorithm is already rather non-procedural.

>And the same goes for character normalization.

Yes, having a name for the thing, and explaining why and
where it may be important, is a good idea.

>Perhaps DSig would require its input to be in character-normal
>form to avoid the case of a user being unable to see
>birthday-attack changes between o-umlaut-precomposed and
>o-umlaut-decomposed.

I don't understand what you mean by 'birthday-attack', but
this is essentially what the I18N WG/IG is asking
XMLDSIG to do.

Regards,   Martin.

Received on Saturday, 8 April 2000 07:50:33 UTC