Re: What exactly is canonicalised from Donald Eastlake 3rd on 2003-07-05 (w3c-ietf-xmldsig@w3.org from July to September 2003)

From: Donald Eastlake 3rd <dee3@torque.pothole.com>
Date: Sat, 5 Jul 2003 19:02:33 -0400 (EDT)
To: Tarun Pinto Pereira <tarun_pinto@hotmail.com>
Cc: w3c-ietf-xmldsig@w3.org
Message-ID: <Pine.LNX.4.44.0307051855430.506-100000@zydeco.netbusters.com>

Tarun,

On Sat, 5 Jul 2003, Tarun Pinto Pereira wrote:

> Date: Sat, 5 Jul 2003 21:07:29 +0100
> From: Tarun Pinto Pereira <tarun_pinto@hotmail.com>
> 
> Hi,
> The answer to this question may be in the XML signature documentation, but I
> could not find it.
> I am a bit confused as to what parts of the signed document are exactly
> canonicalised. Section 4.2.1 states that the "CanonicalizationMethod is a
> required element that specifies the canonicalization algorithm applied to
> the SignedInfo element prior to performing signature calculations".

That's correct. Canonicalizing SignedInfo is all the
CanonicalizationMethod is used for.

> But what about the method being applied to elements prior to digest
> calculations. Would not a slight variation in the bits of these elements
> (the reason for the canonical transform) produce different digests? Are the
> elements, for which digests are calculated, also passed thru a canonical
> transform prior to digest calculation?

You need to read up on the data pipeline. Remember, the data retrieved
from the URL in the Reference is passed through any Transforms and, even
more important, subject to default transformations on its was to
becoming the octet stream that is digested. If the URL is, for example,
an "ftp://" URL or something else that returns an octet string, no
conversion is neede and the data just gets directly digested. On the
other hand, if you have a same document reference, like "#foo", then
that reference yields an XPATH node set which must be serialized into an
octet stream before it can be digested. This serialization process
defaults to using Canonical XML. If you want some other canonicalization
in this case, you need to specify it as a Transform.

> Thanks,
> Tarun.

Donald
======================================================================
 Donald E. Eastlake 3rd                       dee3@torque.pothole.com
 155 Beaver Street              +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA                   Donald.Eastlake@motorola.com

Received on Saturday, 5 July 2003 19:02:38 UTC