- From: Rich Salz <rsalz@datapower.com>
- Date: Thu, 24 Feb 2005 16:28:49 -0500
- To: Norman Walsh <Norman.Walsh@Sun.COM>
- CC: www-tag@w3.org
Norman Walsh wrote: > Rich Salz says[1] > > Also c14n can already be broken by xmlns, so this doesn't create a > new problem, it just makes an existing one bigger. Viewed > parochially, web services use exc-c14n anyway, so let's use xml:id. > > Is it true that Exec-C14N is actually the more widely deployed spec? For web services, the answer is a resounding yes. I don't know of any XML signature library that implements c14n without also implementing exc-c14n. Among the groups saying use exc-c14n and not c14n are WS-Security, SAML, XACML, and the WS-I basic profile. You really cannot use c14n if you are signing something that someone may put into a SOAP message. Hope this helps. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
Received on Thursday, 24 February 2005 21:28:29 UTC