We should go into a little more detail.
Are we specifying exclusive c14n with or without comments? My
preference would be without.
As I understand it, inherited xml:lang and xml:base attributes aren't
signed when you're using exclusive c14n. If we ended up allowing per-
entry signatures, we need to give guidance that xml:lang and xml:base
should be explicitly included in the signed content if they are
important.
It may be helpful to give guidance about the usage of the
InclusiveNamespaces PrefixList, especially with default namespaces.
It also might be good to give guidance to extension authors and
publishers about use of namespaces that aren't visibly bound; e.g.,
QNames in content.
More information at:
http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/#sec-Limitations
Another good reference is the WS-I Basic Security Profile;
http://www.ws-i.org/Profiles/
BasicSecurityProfile-1.0.html#xmlSignatureAlgorithms
On 06/07/2005, at 6:28 PM, Paul Hoffman wrote:
Greetings again. I gravely misunderstood XML Canonicalization, and
as it has been explained to me now, XML Canonicalization would be a
disaster for Atom: what we want is Exclusive XML Canonicalization.
See <http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/>.
What I didn't get was that in normal XML Canonicalization, the
canonicalized version gets all the external definitions added as
text; that doesn't happen in Exclusive XML Canonicalization. I
thought that in normal XML Canonicalization, those definitions got
assumed; I didn't realize that they got actually put in as text. Yuck.
(I cannot understand how the folks who put together XMLDigSig could
allow normal XML Canonicalization to be even thought of, much less
the only required form. What a mess.)
Now that I understand this better, I believe that our text should
read:
[[ NEW ]]
Section 6.5.1 of [W3C.REC-xmldsig-core-20020212] requires support
for Canonical XML. However, many people believe that Canonical XML
may be deprecated in the future, and many implementers do not use
it because signed XML documents enclosed in other XML documents
have
their signatures broken. Thus, Atom Processors that verify signed
Atom Documents MUST be able to canonicalize with Exclusive XML
Canonicalization.
Does anyone object to that?
--Paul Hoffman, Director
--Internet Mail Consortium
--
Mark Nottingham Principal Technologist
Office of the CTO BEA Systems