Re: Proposal for various Infosetisms from noah_mendelsohn@us.ibm.com on 2002-10-16 (xml-dist-app@w3.org from October 2002)

From: <noah_mendelsohn@us.ibm.com>
Date: Wed, 16 Oct 2002 18:11:42 -0400
To: Rich Salz <rsalz@datapower.com>
Cc: Marc Hadley <marc.hadley@sun.com>, "mgudgin@microsoft.com" <mgudgin@microsoft.com>, "xml-dist-app@w3.org" <xml-dist-app@w3.org>
Message-ID: <OF04CB7188.C3ED3352-ON85256C54.007981E3@lotus.com>

Rich Salz wrote:

> XML DSIG works by canonicalizing and then hashing XML,
> not infoset.  "Signing the infoset" might be an
> interesting academic exercise, but it's not very
> worthwhile in terms of interopable XML DSIG signatures
> on SOAP messages.

Rich and I ran into each other at DevCon, and discussed the SOAP/Infoset 
vs. DSIG/XPath-Model.  I think we made some progress in reaching concensus 
between the two of us, and without trying to put words in Rich's mouth, 
here's what I think we could probably agree on:

* There are cases in which signing the XPath data model vs. an infoset 
makes a difference, because there are some details significant in XPath 
that are not significant in infoset.  I believe that whitespace between 
elements is an example

*  It is therefore indeed unfortunate that SOAP and DSig don't today work 
on the same model, as signing SOAP messages is clearly a key use case for 
DSIG.  Therefore, it would indeed be valueable to develop a normative 
means of signing SOAP infosets.

* While it may be theoretically possible to sign things like infosets, in 
practice all the industrial strength signature standards depend on a bit 
or byte stream as input.  Therefore, if we wish to sign SOAP infosets, the 
practical way to do it is to develop a "canonicalization" that represents 
the infoset as a byte stream.  Given the existing DSig rec, one way to do 
this would be to establish the appropriate mapping from Infoset to XPath 
data model (for example, state that when going from Infoset to Data Model 
no insignificant whitespace is to be introduced), and then use the 
existing DSig recs (with some canonicalization of the data model) to sign 
that.

So, this all makes sense to me, and I'm cautiously optimistic that Rich 
would see it about the same way.  Apologies in advance if that's not so. 

------------------------------------------------------------------
Noah Mendelsohn                              Voice: 1-617-693-4036
IBM Corporation                                Fax: 1-617-693-8676
One Rogers Street
Cambridge, MA 02142
------------------------------------------------------------------

Received on Wednesday, 16 October 2002 18:15:01 UTC