- From: Mark Nottingham <mnot@mnot.net>
- Date: Sat, 16 Feb 2002 16:52:27 -0800
- To: XML Distributed Applications List <xml-dist-app@w3.org>
The archives for the group were closed for some reason; this link should now work. Cheers, On Sat, Feb 16, 2002 at 10:20:09AM -0800, Mark Nottingham wrote: > > > > [1] http://groups.yahoo.com/group/soap-opt/message/3 > > > > On Sat, Feb 16, 2002 at 10:19:32AM -0800, Mark Nottingham wrote: > > > > Hi Rich, > > > > You partially motivate this with caching. I'm not sure that it really > > helps there, though; the problem that caching faces is identifying > > the parts of a request message that are used to compose a cache key. > > > > As such, the variety of semantically equivalent section 5 encodings > > (see [1]) is much more of a problem than block ordering, namespace > > inheritence, etc., which can mostly be taken care of through use of > > XML-aware tools. > > > > I'd suggest dropping caching from the motivations for this effort, > > and an issue re: section 5 canonicalisation (there may be other ways > > to compose the cache key from a section 5-encoded message, but I > > still think it would be useful). > > > > Cheers, > > > > > > > > On Fri, Feb 15, 2002 at 10:59:25AM -0500, Rich Salz wrote: > > > Here's my action item to write up how to canonicalize SOAP messages. > > > I'm basing it on Henrik's proposal for what message rewrites are allowed [1]. > > > > > > In doing so, I came across a problem. The proposal allows an intermediary > > > to remove the actor attribute if it's targeted to the ultimate recipient. > > > If this remains, it means that only entities that know the recipient can > > > verify a signature. Speaking as someone who sells generic DSIG servers, > > > I think that's a mistake. :) I see three choices (in my decreasing order > > > of preference): > > > 1 Remove that from the proposal > > > 2 Require a "parameter" to the SM-C14N so the recipient can be > > > identified. E.g., in an XML DSIG you'd have a transform like this: > > > <disg:Transform disg:Algorithm="[[value; see below]]"> > > > <soap-env:ultimateRecipient>uri...</soap-env:ultimateRecipient> > > > </disg:Transform> > > > 3 Limit verification to those who know the recipient > > > > > > Reaction? > > > > > > Second, since intermediaries can add and remove headers, it's necessary > > > to define an ordering. I chose alpha-order, as that will often not > > > require the full rendering of all elements to be buffered. > > > > > > Anyhow, my proposed text appears below. The prose is a little turgid, > > > sorry. > > > /r$ > > > > > > [1] http://lists.w3.org/Archives/Public/xml-dist-app/2002Feb/0183.html > > > > > > > > > Soap Message Canonicalization (SM-C14N) > > > --------------------------------------- > > > > > > Because intermediaries have some flexibility in serializing messages that > > > pass through them, it is necessary to define a canonicalization method so > > > that all semantically equivalent serializations will render identically. > > > This is necessary, e.g., to generate a message digest for a digital > > > signature, maintain a replay cache, and so on. > > > > > > This mechanism is called SOAP Message Canonicalization (SM-C14N). > > > It is identified by the following URI: [[value needed]]. SM-C14N can be > > > targetted at an individual header or body element, a set of such elements, > > > or an entire SOAP message. > > > > > > When targetted to an individual element information item, the following > > > steps are performed: > > > 1. Any namespace declarations that are inherited from the outer SOAP > > > element, and used within the element, are treated as if they were > > > declared by the element. > > > 2. if the SOAP mustUnderstand attribute information item is present > > > with a non-false value, the value is taken to be "1" > > > 3. if the SOAP mustUnderstand attribute information item is present > > > with a false value, the attribute information item is ignored > > > 4. if the SOAP actor > > > The element is then processed according to XML-C14N. > > > > > > When targetted to multiple element information items, each is processed > > > as described above. The elements are then sorted lexigraphically, > > > and a single newline (&#A) is inserted between each one. > > > > > > When targetted to a SOAP Header or Body element information item, the > > > result is computed as if the canonicalization was applied only to all > > > the immediate child elements of the SOAP element. Note that the SOAP > > > Header or Body element information item itself is not directly used. > > > > > > When targetted to a SOAP message information item, the result is > > > calculated as the concatenation of targetting the SOAP Header element > > > information item, a single newline, and targetting the SOAP Body element > > > information item. Note that the SOAP Message element information item > > > itself is not directly used. > > > -30- > > > > > > > -- > > Mark Nottingham > > http://www.mnot.net/ > > > > -- > Mark Nottingham > http://www.mnot.net/ > > -- Mark Nottingham http://www.mnot.net/
Received on Saturday, 16 February 2002 19:52:31 UTC