----- Original Message -----
From: "Tobias Rademacher" <[EMAIL PROTECTED]>
To: "Bill la Forge" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, June 06, 2001 10:36 PM
Subject: [dom4j-user] Re: digital sigs
> Hi Bill,
>
> > Digital signatures would make DOM4J a must-have, and I don't think I'm
> > speaking just for myself!
> >
> > One of the things we're looking at is an XML portal that works equally
> > well
> > on both http and email. (Allowing us to combine B2B with P2P.)Digital
> > signatures would be a great addition.
> >
> > Bill
>
> I agree. XML Signature is necessary whenever you want to establish secure
> XML Messaging. That's necessary for ebXML (B2B) as you mentioned. Thus JCP
> publish JaXM Specification for Public Review this month (at 15th) there's
no more
> time to loose to implement such a System. P2P will grow all the time and
> exchanging singatured XML Documents could become very popular.
>
I agree too.
I want dom4j to be a great tool for working with Web Services, SOAP, B2B and
P2P technologies. Having full XML Schema Data Type support (which is really
close now) and having full support for XML Signature seems a great way
forward.
I was at a JAXM session at JavaOne on Tuesday when dom4j got a mention - its
clear from the direction of JAXM (and JAXP & TRaX) that dom4j can cleanly
integrate with these APIs at the 'Source' and 'Result' interfaces in JAXP).
So yes, I'll be using dom4j in this space much in the future.
> For First step we have to add Canonical XML to dom4j and then we have to
> offer singature support. Unfortunatly the XML Encryption Draft isn't
stable
> right now so it makes now sence to implement that at the moment.
>
> As Canonicalization describes how a document must be styled to be
comparable
> (and of course its element branches) I guess we have to add following for
> Canonical Support:
>
> 1) CannonicalNormalizer stlyes a non-canonical document into Canonical
form.
> 2) Optional a CanonicalReader that reads even normalized Documents and
> throws a exception if the the document isn't in Canonical from.
> 3) Optinal a CannonicalWriter to serialize a non-canonical document into
> Canonical form.
Yes that sounds like a good plan.
Maybe a SAX canonical XMLFilter would help? Then whenever XML were piped
anywhere, from text to Document or vice versa, then canonicalisation could
happen in between. It would be really reusable for SAX users too. (e.g.
already XMLWriter and HTMLWriter can be used directly from SAX as well as
dom4j to make the code more reusable).
I'm wondering if a CanonicalDocumentFactory would make sense? It could act
like a proxy DocumentFactory doing some text trimming or reordering or
whatever. I'll reread the Canonical XML spec & read the XML Signature spec
to see how I can help out.
> For XML Singature support we need a smal set of classes. For that we have
to
> make further security design decission. It's never a good plan for simpliy
> adding security and leaving all backdoors (or even frontdoors open). Do we
> build a own SPI for Hashing or will we use any JCE compliant libary for
that? (I
> don't like Suns implementation because it's to DES centric.). I suppose we
> should choose SHA as Hashing alogrithm.
> We should create a SingatureFactory allowing the user to sign Document
> compnents or a entire document recrusivly (using vistor or something like
that).
>
> So that's all I have to say about this for now :0)
Great. Keep up the good work Bill & Toby!
James
_______________________________________________
dom4j-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/dom4j-user
