- From: Tony Graham <Tony.Graham@Sun.COM>
- Date: Wed, 11 Jun 2003 16:24:48 +0100
- To: XMLP Dist App <xml-dist-app@w3.org>
Rich Salz wrote at 11 Jun 2003 10:54:50 -0400: > >> I thought the expectation was that dig-sig or encryption would work on > >> canonical base64 representation of the data. > > Yuk. Section 8, Security Considerations, of paswa61.html does begin: Given that SOAP processing happens post inclusion, signatures over elements with xbinc:Include children MUST NOT be signatures over the xbinc:Include element and its href attribute; signatures MUST be over the included data. Current XML signature algorithms require signing the included data as base64-encoded characters; the lexical form of such characters SHOULD be canonicalized. > Crypto operations should work on the "real" data, not a translation of > it. XML DSIG defines a base-64 transform to make it easy to send base64 > data, but you're supposed to decode it before operating on it. Signing the base64-encoded "lexical space" representation has been mentioned several times on this list. My first post from yesterday showed some of them. Regards, Tony Graham ------------------------------------------------------------------------ XML Technology Center - Dublin Sun Microsystems Ireland Ltd Phone: +353 1 8199708 Hamilton House, East Point Business Park, Dublin 3 x(70)19708
Received on Wednesday, 11 June 2003 11:22:34 UTC