Re: SOAP Message Canonicalization - New Version from Joseph Reagle on 2003-01-24 (w3c-ietf-xmldsig@w3.org from January to March 2003)

From: Joseph Reagle <reagle@w3.org>
Date: Fri, 24 Jan 2003 12:32:05 -0500
To: Marc Hadley <Marc.Hadley@Sun.COM>, Rich Salz <rsalz@datapower.com>, w3c-ietf-xmldsig@w3.org, w3c-xml-protocol-wg@w3.org
Cc: Martin Gudgin <mgudgin@microsoft.com>
Message-Id: <200301241232.05847.reagle@w3.org>

On Thursday 23 January 2003 11:32, Marc Hadley wrote:
> Please find attached a new version of the SOAP message canonicalization
> specification. This implements the suggestion to recast the algorithm
> as a transform to enable composition with existing and future
> transformations and canonicalization methods.

Thanks for the update Marc, comments:

>SOAP Message Canonicalization may be used as a Transform 
>algorithm in XML Digital Signature [XML DSig] and XML Encryption [XML Enc].

Encryption really doesn't have a transform mechanism of its own that would 
use this transform. xenc is integrated with xmldsig via xmldsig's transform 
mechanism; and it has it's own for obtaining remote ciphertext (via 
CipherReference: e.g., plucking the third cipher-block out of some remote 
XML file). Consequently, I'd probably drop the reference to XENC here.

>It may be used in conjunction with other Transform algorithms and 
>with a CanonicalizationMethod including XML Canonicalization [XML C14N] 
>and Exclusive XML Canonicalization [EXCL C14N]

sm-c14n certainly can be used with c14n or exc-c14n as part of a 
dsig:Transform. For example, this mitigates the SOAP variances and then 
exclusive-canonicalizes it.

<Reference URI="http://www.example.com/soap_cache.xml/">
  <Transforms>
    <Transform Algorithm="http://www.w3.org/2002/11/sm-c14n"/>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </Transforms>

However, it can't be used in CanonicalizationMethod [1] because 
CanonicalizationMethod  only takes *one* algorithm and applies it to 
SignedInfo so as to yield octets. (sm-c14n requires a partner serialization 
method to yield octets.) Fortunately, we've already noted that we don't 
forsee any circumstances where we'd want to use sm-c14n on SignedInfo.

But this does bring me to another question, if sm-c14n doesn't yield any 
octets, which I think is appropriate, perhaps we should call it something 
other than canonicalization, which to date has connoted serialization as 
well. "SOAP Identity Transform" is a awkward but would avoid confusion on 
this note...?

[1] 
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-CanonicalizationMethod

Received on Friday, 24 January 2003 12:32:16 UTC