Re: Base64 from merlin on 2001-08-07 (w3c-ietf-xmldsig@w3.org from July to September 2001)

From: merlin <merlin@baltimore.ie>
Date: Tue, 07 Aug 2001 09:58:06 +0100
To: "Gregor Karlinger" <gregor.karlinger@iaik.at>
Cc: "Joseph M. Reagle Jr." <reagle@w3.org>, "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
Message-Id: <20010807085806.5754943D32@yog-sothoth.ie.baltimore.com>

Hi Gregor,

As far as I (possibly we) understand it, schema-normalized values are
*not* exposed as part of the standard XML infoset (and thus probably
not DOM), but as part of the post schema-validation infoset, which is
an augmentation, not a replacement, of the XML infoset.

So, any canonical form for base64 should not affect signature processing.

Also, there is a proposal that schema validation be an *explicit*
transform, so the possibility of sender/recipient schema validation
conflict (defaulted values) may be reduced. Of course, this won't
really help in the case of same-document references.

Merlin

r/gregor.karlinger@iaik.at/2001.08.06/09:43:41
>Joseph,
>
>> Is [1] sufficient for your concerns about base64?
>>
>> [1]
>> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001JulSep/0103.html
>
>The relevant point is:
>
>     4. what is the canonical form for base64Binary values?
>
>     Respose: Option A: 76 characters from the base64 alphabet, then a
>newline
>     sequence; repeat as needed; last line of more than 0, less than 76
>     characters, also terminated by newline sequence.
>
>But I am not sure about the consequences of introducing a canonical form for
>base64Binary values: Is a schema validating parser enforced to report only
>the
>canonical form of the value to the application?
>
>  * If yes, then my concerns are addressed, if the signature application is
>    ENFORCED to produce the canonical form of the digest value's base64
>    lexical representation.
>
>  * In the current draft of XMLDSIG, this enforcement is not established.
>    Without such an enforement, the signature will break if the creator
>    of a signature does not produce the canonical representation, and if
>    the validator of the signature uses a validating parser.
>
>  * If no, my concerns are not addressed.
>
>Liebe Gruesse/Regards,
>---------------------------------------------------------------
>DI Gregor Karlinger
>mailto:gregor.karlinger@iaik.at
>http://www.iaik.at
>Phone +43 316 873 5541
>Institute for Applied Information Processing and Communications
>Austria
>---------------------------------------------------------------
>
>


-----------------------------------------------------------------------------
Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
   http://www.baltimore.com

Received on Thursday, 9 August 2001 08:41:58 UTC