These are complex topics that are straying away from Axis issues, since
WS-Security is a given that we all need to work with. I'll just point
out, though, that XML Canonicalization is only required because of the
decision to base XML Signature on the *text* of the document, rather
than the *content* of the document. It would have allowed for much more
efficient implementation if Signature had been based on the Infoset, for
instance. As it is, the reliance on the particular sequence of
characters in the text format has repeatedly caused problems in Axis due
to issues such as namespace prefixes which have absolutely nothing to do
with the content of the document.
- Dennis
Anne Thomas Manes wrote:
I agree with you that the XML gateway appliance vendors will benefit
from widespread adoption of WS-Security. <grin>
I'm not an expert in security, although I do know enough to know that
it's a remarkably complex topic. The security gods have reached the
conclusion that the best way to ensure end-to-end security and to
reduce security vulnerabilities when dealing with attachments is to
make them part of the SOAP message infoset. The documents I cited can
tell you why -- but you need a pretty deep understanding of security
threats and countermeasures to truly understand them. (I'm definitely
on shaky ground when reading them.)
XML Signature requires XML Canonicalization because you absolutely
need to make sure that not one bit in the message changes to replicate
and validate a signature. That's just the way it is. The message may
get compressed or chunked or whatever in transit, so you have to be
able to reconstruct it exactly. Only canonicalization can ensure
perfect reconstruction.
Anne
On 7/28/05, Dennis Sosnoski <[EMAIL PROTECTED]> wrote:
Thanks for the pointers, Anne, I'll check out the documents.
As to the issue of attachments not being part of the Infoset - honestly,
that seems a much cleaner approach to me than making them look like
base64 encoding, as done by MTOM. WS-Security (which in turn builds on
XML Signature, which uses XML Canonicalization) is one of the most Rube
Goldberg-ish contraptions in the history of technology. It's the
equivalent of writing your data out in longhand on a whiteboard, taking
a Polaroid of the whiteboard, signing that, and enclosing it with the
transmission. The main beneficiaries of WS-Security would seem to be the
manufacturers of XML appliances, which suddenly have a huge potential
market.
IMHO there's no reason why WS-Security couldn't have been designed with
attachments in mind, and implemented the sensible approach of just
encrypting or signing the binary format directly.
- Dennis
