Re: C14N isn't widely used?

Norman Walsh wrote:
> Rich Salz says[1]
>    Also c14n can already be broken by xmlns, so this doesn't create a
>    new problem, it just makes an existing one bigger. Viewed
>    parochially, web services use exc-c14n anyway, so let's use xml:id.
> Is it true that Exec-C14N is actually the more widely deployed spec?

For web services, the answer is a resounding yes.

I don't know of any XML signature library that implements c14n without 
also implementing exc-c14n.  Among the groups saying use exc-c14n and 
not c14n are WS-Security, SAML, XACML, and the WS-I basic profile.

You really cannot use c14n if you are signing something that someone may 
put into a SOAP message.

Hope this helps.


Rich Salz, Chief Security Architect
DataPower Technology                 
XS40 XML Security Gateway

Received on Thursday, 24 February 2005 21:28:29 UTC