XMLDSIG erratum from Gregor Karlinger on 2002-03-17 (w3c-ietf-xmldsig@w3.org from January to March 2002)

From: Gregor Karlinger <gregor.karlinger@cio.gv.at>
Date: Sun, 17 Mar 2002 22:01:12 +0100
To: "Joseph M. Reagle Jr. $Joseph M. Reagle Jr.$" <reagle@w3.org>, "Merlin Hughs" <merlin@baltimore.ie>
Cc: "XMLSigWG" <w3c-ietf-xmldsig@w3.org>
Message-ID: <002001c1cdf6$e17f74c0$1400a8c0@iaik.at>

Joseph and Merlin,

once again our rules for encoding strings in DNames keep me busy ...
I digged a bit in the list archive because I wanted to find the rea-
son why the text in the REC is as it is. 

I found the following messages from merlin [1], [2], which clearly 
reflects the *intention* of our strings-in-DNames rules:

------------------------------------------------------------------------
----

<merlin1>
  4.4.4 The X509Data Element (dname encoding)

  I'd possibly suggest that instead of "compliant with RFC2253", we
  use the text "compliant with the subset of RFC2253 described below"
  or somesuch, because RFC2253 allows encodings that are not permitted
  by the text that we have.

  Is it intended that space be considered an ASCII control character;
  if not, I'd suggest the text "\00-\1f inclusive".

  In this case, leading and trailing ' ' should be escaped. If we want
  to allow leading and trailing whitespace to be trimmed from dname
  text nodes then we also need to state that a "\ " occuring at the
  end of a dname must be replaced by "\20".
</merlin1>

<merlin2>
  Ignoring UTF-8 encoding, the current wording is:

  RFC 2253 -> replace "\ " with "\20" -> replace 0x00-0x20 with "\xx"

  My suggested wording is:

  RFC 2253 -> replace 0x00-0x1f with "\xx" -> replacing trailing "\ "
  with "\20"
</merlin2>

------------------------------------------------------------------------
----

If this is really the intention of our rules, the text in the REC is
totally
misleading and urgently needs to be fixed via the errata document, for 
example:

  (1) The text in the REC does not state that we basically use the
encoding
      rules for strings as specified in RFC2253, but additionally apply
the
      execptions stated in the text. Rather the text in the REC and in
the 
      errata document respecively states:
 
        "the encoding of the distinguished name SHOULD be compliant with

         the DNAME encoding rules at the end of this section." 

      and
 
        "DNames ... should be encoded in accordance with RFC2253
[LDAP-DN] 
         except for the encoding of string values within a DName: ..." 

  (2) The fourth bullet in the rec text states:
        "Escape any trailing white space by replacing "\ " with "\20"."
      According to to <merlin1> this should rather read:
        "Escape a "\ " at the end of the string with "\20".

------------------------------------------------------------------------
----

Merlin, could you please tell me your view on the intention of the REC 
encoding rules?

Regards, Gregor

[1]
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001JulSep/0181.htm
l
[2]
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001JulSep/0183.htm
l

Received on Sunday, 17 March 2002 16:01:36 UTC