Re: c14n text from Joseph M. Reagle Jr. on 2000-05-02 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Tue, 02 May 2000 15:18:22 -0400
To: David.Solo@citicorp.com, "Donald Eastlake" <dee3@torque.pothole.com>, <lde008@dma.isg.mot.com>
Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <3.0.5.32.20000502151822.00b319b0@localhost>

Ok, I took your text, added Don's suggestion, and tweaked it to read as
stated below. My only concern with the text stated below is that I would
ALWAYS like this element to be present even if we REQUIRE Canonical XML.
(Just like SignatureMethod). My preference has been to include syntax where
(potentially) varied semantics are being communicated. For instance, making
a semantic always base64 merits removing elements and attributes. But
otherwise for algorithms that we require, we haven't been setting the
default to that required algorithm. I think this is good because it's
explicit, less-confusing, and mitigates some fuzzy concerns I have about the
need to migrate to other algorithms in the future.

Do you mind making this a required element?
__

4.3.1 The CanonicalizationMethod Element 

CanonicalizationMethod is an optional element that specifies the
canonicalization algorithm applied to the SignedInfo element prior to
performing signature calculations. This element uses the general structure
for algorithms described in section 6.1: Algorithm Identifiers. The default
canonicalization algorithm (applied if this element is omitted) is Canonical
XML  [XML-C14N].

Alternatives, such as the minimal canonicalization algorithm (the CRLF and
charset normalization specified in section 6.5.1: Minimal Canonicalization),
may be explicitly specified but are NOT REQUIRED. Consequently, their use
may not interoperate with other applications that do no support the
specified algorithm (see section 7: XML Canonicalization and Syntax
Constraint Considerations). Security issues may also arise in the treatment
of entity processing and comments if minimal or other non-XML aware
canonicalization algorithms are not properly constrained (see section 8.2:
Only What is "Seen" Should be Signed). 

We RECOMMEND that resource constrained applications that do not implement
the Canonical XML [XML-C14N] transform and instead choose minimal
canonicalization (or some other form) are implemented to generate Canonical
XML as their output serialization to easily mitigate some of these
interoperability and security concerns. For instance, such an implementation
SHOULD (at least) generate standalone XML instances [XML].

_________________________________________________________
Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Tuesday, 2 May 2000 15:18:32 UTC