W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2002

Re: minimal canonicalization

From: Ed Simon <edsimon@xmlsec.com>
Date: Thu, 25 Jul 2002 10:24:50 -0400
Message-ID: <001301c233e7$09d8cba0$f2a0fea9@DJQC7111>
To: <reagle@w3.org>, "Carl Ellison" <cme@jf.intel.com>
Cc: "XML Signature \(W3C/IETF\)" <w3c-ietf-xmldsig@w3.org>

I guess the questions to me is "what XML processing capability does the
constrained device have?".  Can it, for example, do at least SAX parsing?
If so, I think that should be enough because if UPnP requires a certain c14n
and sufficiently constrains the XML context in which an XML Signature can be
carried, then the validator can assume that c14n was then used.  Depending
on the UPnP details, which I would have to see before I get too speculative,
the validator need only use XML-aware processing to extract from the
received signature, the digest, digest method (if variable), the signature
value, the signature method (if variable), key info, and assurance the
signature covers what it is supposed to.  The rest would be some
optimization trickery which is a bit more than I can write at the moment but
suffice to say the more assumptions one can earnestly make about the input
signature, the less computing one needs to do.  The validator need not have
a general purpose XML Signature processor, just one that can handle the
signature types it expects to receive.

Ed


----------------------------------------------------------------------------
-------------------------------------------
Ed Simon
<edsimon@xmlsec.com>
(613) 726-9645
XMLsec Inc.

Interested in XML Security Training and Consulting services?  Visit
"www.xmlsec.com".
----- Original Message -----
From: "Carl Ellison" <cme@jf.intel.com>
To: <reagle@w3.org>
Cc: "XML Signature (W3C/IETF)" <w3c-ietf-xmldsig@w3.org>
Sent: Wednesday, July 24, 2002 8:34 PM
Subject: Re: minimal canonicalization


>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At 03:07 PM 7/24/2002 -0400, Joseph Reagle wrote:
> >On Wednesday 24 July 2002 01:13 pm, Carl Ellison wrote:
> >> We actually have devices that are resource constrained and need to
> >> do minimal canonicalization (as part of UPnP), but the way this
> >> recommendation is written, it suggests that the constrained device
> >> control its output.
> >
> >Is the constrained device generating a signature. If so, yes, it's
> >generating and controlling it's output.
> >
> >>  In fact, if we have two devices, one powerful
> >> and doing C14-N and one constrained, it is the powerful one that
> >> has to make sure its output is canonicalized.
> >
> >I don't yet understand the scenario.
>
>
> We are using XML DSig to sign SOAP commands for UPnP.  Each SOAP
> command is an XML structure.  We aren't signing documents but rather
> messages (or parts of messages, to be more precise).
>
> In that case, you have a sender and a receiver.  If the sender is
> powerful, it is generating the signature and controlling its output,
> but it has no reason to use anything but C14N.  However, the receiver
> is limited in CPU power (and possibly memory) and needs to
> canonicalize the incoming message in order to verify the signature.
> That's the one that can't afford C14N.
>
>  - Carl
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBPT9HncxqBGb+WvJAEQKa7ACgnYn2ko9GbdZYsnfPQ8jsb+GTb2EAoIq/
> 5/AfChm5h2u9P18kGj/niHmv
> =BV4q
> -----END PGP SIGNATURE-----
>
>
> +--------------------------------------------------------+
> |Carl Ellison      Intel Labs        E: cme@jf.intel.com |
> |2111 NE 25th Ave                    T: +1-503-264-2900  |
> |Hillsboro OR 97124                  F: +1-503-264-6225  |
> |PGP Key ID: 0xFE5AF240              C: +1-503-819-6618  |
> |  1FDB 2770 08D7 8540 E157  AAB4 CC6A 0466 FE5A F240    |
> +--------------------------------------------------------+
>
>
Received on Thursday, 25 July 2002 10:25:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:10 UTC