- From: John Boyer <JBoyer@PureEdge.com>
- Date: Wed, 20 Jun 2001 11:42:38 -0700
- To: "Phil Griffin" <phil.griffin@asn-1.com>, "Phillip Hallam-Baker" <pbaker@verisign.com>
- Cc: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, <w3c-ietf-xmldsig@w3.org>
HERE IS A REPEAT FOR THOSE WHO DON'T DO HTML IN EMAILS, WHICH I'M FORCED TO DO THANKS TO A BUG IN THE LATEST MICROSOFT EXCHANGE SERVER. As you may have guessed from my prior email "RE: Poll on Exclusive Canonicalization", there remains a simple design tweak to XMLDSig that A) would not hold up anything pertaining to status of the XML DSig spec, B) should be trivial to implement and test for interoperability, and C) solves more problems than just the namespace issue. I mention this technique in part to help everyone understand that the current conflict is not arising from a shortcoming in C14N but rather in XML DSig's application of C14N and/or the application of XML DSig in a particular scenario (signing SOAP messages). Consider the following sentence from the C14N Spec "Since XML canonicalization converts an XPath node-set into a canonical form, the first parameter MUST either be an XPath node-set or ..." Suppose we add an XPath element to the Signature element as a sibling of SignedInfo. The XPath would say how to filter the SignedInfo. The processing model would then say: 1) Form a node-set consisting of the entire subtree rooted at SignedInfo, including namespace and attribute nodes. 2) Apply the XPath expression. 3) Add the subtree rooted by the XPath element in Signature, including attributes and namespaces. 4) Send resultant node-set to C14N. 5) Sign result. End of story. Full stop to conflict. Thanks for coming out. John Boyer Senior Product Architect, Software Development Internet Commerce System (ICS) Team PureEdge Solutions Inc. Trusted Digital Relationships v: 250-708-8047 f: 250-708-8010 1-888-517-2675 http://www.PureEdge.com <http://www.pureedge.com/>
Received on Wednesday, 20 June 2001 14:43:09 UTC