RE: Poll on Exclusive Canonicalization

I'd like to see the poll give a definition of 'exclusive canonicalization'
since I can guess what is being suggested but I did not read the entire
thread on C14N so I don't know for sure.

The ambiguity in what namespaces should be included in the scope of the C14N
is the main cause of interop issues with XKMS - and I would guess by
extension in any SOAP/XML Protocol application.

Rather than mess with the 'mandatory' status we should recognize that the
specification cannot mandate support for a specific canonicalization
algorithm and it is entirely wrong and unjustified to do so. 

The proposed C14N does not meet the requirements of signing SOAP or XML
Protocol messages. Any spec to support that application will inevitably
specify that another C14N algorithm is required. As currently specified the
C14N algorithm does not satisfy the requirement that nodes be signable
individually and independently.

Counter proposal:

1) Demote the requirement for the existing C14N from MUST to SHOULD
2) Insert a forward looking 'SHOULD support' for exclusive C14N
3) Develop spec for alternative C14N 
4) When Signing XML Protocol messages is written it will specify
   the alg that is most appropriate as a MUST.

XML Signature is not a complete specification, it is a component. MUST
implement for interoperability does not make as much sense at the component
level as at the system level.


		Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Thomas Maslen [mailto:maslen@dstc.edu.au]
> Sent: Friday, June 15, 2001 3:47 AM
> To: w3c-ietf-xmldsig@w3.org
> Subject: Re: Poll on Exclusive Canonicalization 
> 
> 
> > With respect to the issue of excluding ancestor context 
> from the canonical 
> > form of a signature[1], the WG should pursue option:
> > 
> > 1. Specify the exclusive canonicalization as part of the 
> non-normative (nor 
> >    required to implement) dsig-more specification [2].
> >
> > 2. Specify the exclusive canonicalization as part of the normative 
> >    xmldsig-core  as proposed in [3] (but with the URIs of 
> [4]) as [REQUIRED, 
> >    RECOMMENDED, OPTIONAL]. (This option requires 
> interoperable implementation 
> >    of this feature before xmldsig advances.)
> 
> Speaking for the JCSI gang at DSTC:
> 
> We believe that a significant percentage of candidate xmldsig 
> applications 
> suffer from the c14n variable-context issue.  Given this, we 
> believe that
> for xmldsig to be usable and interoperable, it is worthwhile 
> for xmldsig to 
> specify an interoperable c14n approach that resolves this 
> issue, despite the
> effect of this on the standardization schedule.
> 
> In other words, our preference is for option 2.  
> 
> Also, in the interests of interoperability, RECOMMENDED (or 
> ideally REQUIRED)
> would be preferable to OPTIONAL.
> 
> Thomas Maslen
> DSTC
> 

Received on Monday, 18 June 2001 10:22:29 UTC