- From: Ed Simon <edsimon@xmlsec.com>
- Date: Wed, 22 Dec 2004 11:26:42 -0500
- To: "'Hess Yvan'" <yvan.hess@imtf.ch>, <w3c-ietf-xmldsig@w3.org>
- Cc: <JBoyer@PureEdge.com>
Hi Hans,
I suppose one other point is whether your system will always control the
generation of signatures. If that is the case, then you can set the
parameters, such as requiring C14N with UTF-8 canonicalization, that will
keep all your signatures valid. If you accept signatures from sources
outside your control, then you might have to reconstitute the original
signature before validation.
BTW, further private correspondence has informed me that ISO-8859-1 is not a
subset of UTF-8.
Regards, Ed
========================================
Ed Simon
(613) 726-9645
edsimon@xmlsec.com
Interested in XML, Web Services, or Security? Visit "www.xmlsec.com".
Now available! "Web Services Security" published by Osborne (ISBN#
0072224711)
-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Hess Yvan
Sent: December 22, 2004 3:22 AM
To: 'w3c-ietf-xmldsig@w3.org'
Cc: 'edsimon@xmlsec.com'; 'JBoyer@PureEdge.com'
Subject: RE: Encoding of signed document question
Hi everybody,
First thanks for all yours answers. To clarify things, here are the
different steps I am doing when a sign my XML document:
1. My XML input documents is a file having encoding "ISO-8859-1".
2. I then load my document as a DOM document.
3. I sign my DOM document using Apache XML Security library (Java) 4. The
returned document is a DOM document.
4. I converted the signed XML document as a byte array.
5. Using a XML parser a reload the signed XML document as a DOM document.
6. Finally, I write the signed XML document as a byte array using encoding
"ISO-8859-1"
7. To verify the consistency of my document, I verified it using Apache XML
Security and the answer returned is that my document is NOT corrupted.
As my XML document are stored on an optical disk for long term storage, I
want to be sure that I can use an other encoding than "UTF-8" for XML
documents. As I understood the XML signature recommendation, it is the
responsibility of the Signature library to have a canonical representation
of the XML document, to treat these kinds of problem. Am I right?. In my
context, here is the signature of my signed XML document. As Ed said, I
think I can use "ISO-8851-1" because as you can see into the signature of my
XML document, the canonicalization method algorithm is C14N. Does somebody
can give me a conclusion about my problem? Can we finally say that I can use
any XML encoding ("UTF-8" , "ISO-8859-1", ...) if the canonicalization
method algorithm is CN14.
Thanks for your final conclusion.
Regards. Yvan
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VUXqX8......</ds:DigestValue>
</ds:Reference>
<ds:Reference
URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>7typF....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>rnvby1.....</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MII......</ds:X509Certificate>
<ds:X509Certificate>IEN......</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
-----Original Message-----
From: Ed Simon [mailto:edsimon@xmlsec.com]
Sent: mardi, 21. décembre 2004 19:59
To: w3c-ietf-xmldsig@w3.org
Subject: RE: Encoding of signed document question
Due to some private feedback I've just received, let me emphasize that I do
not know "if ISO-8859-1 is a subset of UTF-8", I'm just guessing it might
be. If someone knows for sure, please let us know.
Regards, Ed
========================================
Ed Simon
(613) 726-9645
edsimon@xmlsec.com
Interested in XML, Web Services, or Security? Visit "www.xmlsec.com".
Now available! "Web Services Security" published by Osborne (ISBN#
0072224711)
-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Ed Simon
Sent: December 21, 2004 1:35 PM
To: w3c-ietf-xmldsig@w3.org
Subject: RE: Encoding of signed document question
If the C14N algorithm chosen requires UTF-8 reserialization, then all should
be fine; but XML Signature does not require a C14N to be used that
reserializes as UTF-8, right?
While I would whole-heartedly endorse a C14N with UTF-8 reserialization, I
have to assume (that in cases like the one proposed), that might not always
be the case. So, my general recommendation is that if one has an XML
Signature, that any possibly disruptive changes to it be undone, before
trying to validate it. I don't know the details of Hans' case and it may
be very well that there is no problem with validating the "ISO-8859-1"
version. (Actually, if ISO-8859-1 is a subset of UTF-8, then I would not
expect any problem.) But for the general question of encoding to something
not a subset of UTF-8, I would advise caution with respect to the choice of
C14N algorithms or that the original form of the signature be reconstituted
before validation.
Regards, Ed
========================================
Ed Simon
(613) 726-9645
edsimon@xmlsec.com
Interested in XML, Web Services, or Security? Visit "www.xmlsec.com".
Now available! "Web Services Security" published by Osborne (ISBN#
0072224711)
-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of John Boyer
Sent: December 21, 2004 12:53 PM
To: Ed Simon; w3c-ietf-xmldsig@w3.org
Subject: RE: Encoding of signed document question
Hi Ed,
Why would it 'very likely' not validate?
The C14N phase of core validation automatically re-serializes using UTF-8,
regardless of the encoding of the original document.
Cheers,
John Boyer, Ph.D.
Senior Product Architect and Research Scientist PureEdge Solutions Inc.
-----Original Message-----
From: Ed Simon [mailto:edsimon@xmlsec.com]
Sent: Tuesday, December 21, 2004 9:43 AM
To: w3c-ietf-xmldsig@w3.org
Subject: RE: Encoding of signed document question
I am under the impression that the document is signed already, and that you
want to store it in a different encoding. What you do with a document after
it is signed does not matter to XML Signature, however if you try to
validate the signature before restoring the document to its original form,
the signature will very likely not validate.
Have I understood you correctly?
Regards,
Ed
========================================
Ed Simon
(613) 726-9645
edsimon@xmlsec.com
Interested in XML, Web Services, or Security? Visit "www.xmlsec.com".
Now available! "Web Services Security" published by Osborne (ISBN#
0072224711)
-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Hess Yvan
Sent: December 21, 2004 10:24 AM
To: 'w3c-ietf-xmldsig@w3.org'
Subject: Encoding of signed document question
Hi,
Do I have the right to store a signed XML document into a filesystem or a
database using a different encoding than "UTF-8"? In the context of my
application I have to save it using encoding "ISO-8859-1".
Is it conform to specifications ? What will be the incidence of a such
choice ?
Thanks for your answer.
Regards. Yvan Hess
Received on Wednesday, 22 December 2004 16:26:17 UTC