- From: Ed Simon <edsimon@xmlsec.com>
- Date: Wed, 22 Dec 2004 11:26:42 -0500
- To: "'Hess Yvan'" <yvan.hess@imtf.ch>, <w3c-ietf-xmldsig@w3.org>
- Cc: <JBoyer@PureEdge.com>
Hi Hans, I suppose one other point is whether your system will always control the generation of signatures. If that is the case, then you can set the parameters, such as requiring C14N with UTF-8 canonicalization, that will keep all your signatures valid. If you accept signatures from sources outside your control, then you might have to reconstitute the original signature before validation. BTW, further private correspondence has informed me that ISO-8859-1 is not a subset of UTF-8. Regards, Ed ======================================== Ed Simon (613) 726-9645 edsimon@xmlsec.com Interested in XML, Web Services, or Security? Visit "www.xmlsec.com". Now available! "Web Services Security" published by Osborne (ISBN# 0072224711) -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Hess Yvan Sent: December 22, 2004 3:22 AM To: 'w3c-ietf-xmldsig@w3.org' Cc: 'edsimon@xmlsec.com'; 'JBoyer@PureEdge.com' Subject: RE: Encoding of signed document question Hi everybody, First thanks for all yours answers. To clarify things, here are the different steps I am doing when a sign my XML document: 1. My XML input documents is a file having encoding "ISO-8859-1". 2. I then load my document as a DOM document. 3. I sign my DOM document using Apache XML Security library (Java) 4. The returned document is a DOM document. 4. I converted the signed XML document as a byte array. 5. Using a XML parser a reload the signed XML document as a DOM document. 6. Finally, I write the signed XML document as a byte array using encoding "ISO-8859-1" 7. To verify the consistency of my document, I verified it using Apache XML Security and the answer returned is that my document is NOT corrupted. As my XML document are stored on an optical disk for long term storage, I want to be sure that I can use an other encoding than "UTF-8" for XML documents. As I understood the XML signature recommendation, it is the responsibility of the Signature library to have a canonical representation of the XML document, to treat these kinds of problem. Am I right?. In my context, here is the signature of my signed XML document. As Ed said, I think I can use "ISO-8851-1" because as you can see into the signature of my XML document, the canonicalization method algorithm is C14N. Does somebody can give me a conclusion about my problem? Can we finally say that I can use any XML encoding ("UTF-8" , "ISO-8859-1", ...) if the canonicalization method algorithm is CN14. Thanks for your final conclusion. Regards. Yvan <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect">/edoc:EDOC/edoc:Object</dsig-xpath:XPath> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>VUXqX8......</ds:DigestValue> </ds:Reference> <ds:Reference URI="urn:hypersuite:8F1F8E64-C0A8024E0160C4B0-A0033464"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>7typF....</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>rnvby1.....</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MII......</ds:X509Certificate> <ds:X509Certificate>IEN......</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> -----Original Message----- From: Ed Simon [mailto:edsimon@xmlsec.com] Sent: mardi, 21. décembre 2004 19:59 To: w3c-ietf-xmldsig@w3.org Subject: RE: Encoding of signed document question Due to some private feedback I've just received, let me emphasize that I do not know "if ISO-8859-1 is a subset of UTF-8", I'm just guessing it might be. If someone knows for sure, please let us know. Regards, Ed ======================================== Ed Simon (613) 726-9645 edsimon@xmlsec.com Interested in XML, Web Services, or Security? Visit "www.xmlsec.com". Now available! "Web Services Security" published by Osborne (ISBN# 0072224711) -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Ed Simon Sent: December 21, 2004 1:35 PM To: w3c-ietf-xmldsig@w3.org Subject: RE: Encoding of signed document question If the C14N algorithm chosen requires UTF-8 reserialization, then all should be fine; but XML Signature does not require a C14N to be used that reserializes as UTF-8, right? While I would whole-heartedly endorse a C14N with UTF-8 reserialization, I have to assume (that in cases like the one proposed), that might not always be the case. So, my general recommendation is that if one has an XML Signature, that any possibly disruptive changes to it be undone, before trying to validate it. I don't know the details of Hans' case and it may be very well that there is no problem with validating the "ISO-8859-1" version. (Actually, if ISO-8859-1 is a subset of UTF-8, then I would not expect any problem.) But for the general question of encoding to something not a subset of UTF-8, I would advise caution with respect to the choice of C14N algorithms or that the original form of the signature be reconstituted before validation. Regards, Ed ======================================== Ed Simon (613) 726-9645 edsimon@xmlsec.com Interested in XML, Web Services, or Security? Visit "www.xmlsec.com". Now available! "Web Services Security" published by Osborne (ISBN# 0072224711) -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of John Boyer Sent: December 21, 2004 12:53 PM To: Ed Simon; w3c-ietf-xmldsig@w3.org Subject: RE: Encoding of signed document question Hi Ed, Why would it 'very likely' not validate? The C14N phase of core validation automatically re-serializes using UTF-8, regardless of the encoding of the original document. Cheers, John Boyer, Ph.D. Senior Product Architect and Research Scientist PureEdge Solutions Inc. -----Original Message----- From: Ed Simon [mailto:edsimon@xmlsec.com] Sent: Tuesday, December 21, 2004 9:43 AM To: w3c-ietf-xmldsig@w3.org Subject: RE: Encoding of signed document question I am under the impression that the document is signed already, and that you want to store it in a different encoding. What you do with a document after it is signed does not matter to XML Signature, however if you try to validate the signature before restoring the document to its original form, the signature will very likely not validate. Have I understood you correctly? Regards, Ed ======================================== Ed Simon (613) 726-9645 edsimon@xmlsec.com Interested in XML, Web Services, or Security? Visit "www.xmlsec.com". Now available! "Web Services Security" published by Osborne (ISBN# 0072224711) -----Original Message----- From: w3c-ietf-xmldsig-request@w3.org [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Hess Yvan Sent: December 21, 2004 10:24 AM To: 'w3c-ietf-xmldsig@w3.org' Subject: Encoding of signed document question Hi, Do I have the right to store a signed XML document into a filesystem or a database using a different encoding than "UTF-8"? In the context of my application I have to save it using encoding "ISO-8859-1". Is it conform to specifications ? What will be the incidence of a such choice ? Thanks for your answer. Regards. Yvan Hess
Received on Wednesday, 22 December 2004 16:26:17 UTC