- From: Jose Kahan <jose.kahan@w3.org>
- Date: Thu, 15 Dec 2005 17:59:58 +0100
- To: John Boyer <boyerj@ca.ibm.com>
- Cc: w3c-ietf-xmldsig@w3.org
Hi John, Here's my $0.02 as a newby user of XML-SIG. IMO, using a new algorithm identifier makes sense. The programmatic and update effort will have to be done anyway. The xml:id spec states that using C14 1.0 will produce invalid xml:id attribue values that are not unique. If you don't change the algorithm identifier, you can arrive to a situation where someone signs an XML document that includes xml:id using C14 1.1 (I'm not sure how it will be called). If someone uses a legacy toolkit, the signature won't be valid. How to catch and understand this error may cost lots of time to many people. On the other hand, if when you create the signature, you use the new algorithm identifier, then the legacy toolkit can warn you right away that it doesn't understand C14 1.1. This may prompt me to check if there's a newer version of the toolkit. This somehow is more comfortable than "invalid signature" with no other reason. This having been said, the xml:id note states that there no such problem with EXCL C14 1.0. As far as I understand, most people advise to only use EXCL C14.0, rather than C14 1.0 in digital signatures. I'd be curious to know if this is really the case. If yes, maybe it would make more sense to have an errata or a revised edition of the XMLSIG spec that says that the recommended XML canonicalization algorithm is EXCL C14.0. I'm interested in your feedback. -jose
Received on Thursday, 15 December 2005 17:00:48 UTC