RE: XSL Transform from Ed Simon on 2000-07-26 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Ed Simon <ed.simon@entrust.com>
Date: Wed, 26 Jul 2000 12:21:48 -0400
To: "'Merlin Hughes'" <merlin@baltimore.ie>
Cc: "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>, "'ht@cogsci.ed.ac.uk'" <ht@cogsci.ed.ac.uk>
Message-ID: <ED026032A3FCD211AEDA00105A9C46960177B6FD@sothmxs05.entrust.com>

Merlin:
 "If your output format is XML, you may want to C14N it
  afterwards. This should almost be mandatory; interop
  is otherwise almost guaranteed to fail."

This is absolutely true.  Unless one has very unique
reasons for not doing so, doing a c14n on an XML instance
before signing is basically mandatory for interop.

Merlin:
 "If your output format is non-XML, then it seems
  impossible to guarantee interop. There is no exact
  definition for the format of, e.g., autogenerated
  META tags; nor is an ordering imposed on attributes;
  nor can HTML, for example, be canonicalized."

Yes. In my view, an XSLT transform in an XML Signature's
<Transform> element should only be used to extract the
elements one wants to sign (and the paring requires more
functionality than that provided in XPath).  For interop
reasons, the result needs to be XML and c14n'd before
signing.

If an app wants to generate something other than XML from
a <Transform> where the original input is XML, the app
needs to provide its own canonicalization transform as the
final step.

If one wants to sign the HTML generated by apply an
HTML-generating XSLT stylesheet to XML, a possible 
alternative may be to cover both the XML and the 
stylesheet in one signature.  Failing that, one needs
an HTML canonicalizer (responsibility of the app not
the XMLSig Toolkit).

XMLSig implementors are under no obligation to try to handle
data types that do not have well-defined c14n algorithms
associated with them.  To me that is outside the scope
of both the XMLSig WG and implementors.  And as I said,
<Transform> elements are really intended just for converting
XML input to XML output.

Now, it wouldn't surprise me if there are some alternative
opinions on this, so please consider this note as a
spark for discussion. I'd like to hear what others think.

Ed
-----Original Message-----
From: Merlin Hughes [mailto:merlin@baltimore.ie]
Sent: Wednesday, July 26, 2000 10:28 AM
To: Ed Simon
Cc: 'w3c-ietf-xmldsig@w3.org'; 'ht@cogsci.ed.ac.uk'
Subject: Re: XSL Transform 



r/ed.simon@entrust.com/2000.07.25/17:29:09

Hi,

>Here are my reasons for being precise as to how XSLT transforms should be
>specified in an XML Signature.  Apologies for sounding elementary but I
>want to start from the basics.
>
>[...]
>
>Merlin, is this along the lines of the way you were thinking.

Exactly.

Also relevant to this discussion are some notes I observed
about interoperating among different XSL processors:

. You must specify that output indentation is disabled.
  Different XSL tools indent differently.

. If your output format is XML, you may want to C14N it
  afterwards. This should almost be mandatory; interop
  is otherwise almost guaranteed to fail.

. If your output format is non-XML, then it seems
  impossible to guarantee interop. There is no exact
  definition for the format of, e.g., autogenerated
  META tags; nor is an ordering imposed on attributes;
  nor can HTML, for example, be canonicalized.

This last point is possible the most problematic. If I read
the XSL spec right, different XSL processors may produce
different results from the same input.

Merlin

Received on Wednesday, 26 July 2000 12:24:19 UTC