RE: XML-Signature + canonicalization

[Lawrence McCay]

Title: Message

You may also find the basic security profile specification from WS-I interesting - it specifically defines the interoperability issues and recomendations for c14n as well other security related aspects of ws-security:   http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html   --Larry -----Original Message----- From: Blake Dournaee [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 2:15 PM To: 'von Neefe, Achim' Cc: [EMAIL PROTECTED] Subject: RE: XML-Signature + canonicalization Achim,   Canonicalization is intended to normalize changes during XML parsing and processing, and doesn’t normalize all white space in general. The reason why is because white space is significant in an XML document, so adding white space in between elements is the same as breaking the signature.   For example, if I add white space *after* the document element (root) of an XML document, C14N will normalize this if these nodes are in scope for the canonicalization routine. In addition, C14N removes white space within start and end tags.   For example, <element     > will become <element>.   If, for example, I add white space * in between * my elements, this will break the signature. The C14N algorithm is well designed and doesn’t make any big blunders such as normalizing all white space in a naïve sort of way.   As for the Japanese characters issue, I am not entirely sure about this. The purpose of the C14N routine is to create a physical UTF-8 representation of the node-set, so if the characters in question have a unique representation in UTF-8, then there should be no problems. I am not, however, a foreign characters specialist. I don’t recall the interop issues being specifically related to handling foreign characters.   It sounds like someone is throwing up some objections to XML Signature for you to climb over. I have seen this standard evolve from the beginning and I can say that I am confident in its adoption and usage, especially for documents that need selective signing or multiple signatures by different parties.   Can you elaborate on your project a little bit? There are a lot of different ways to use XML Signature, either alone or in conjunction with another standard like WS-Security. It really depends on the business problem you are trying to solve.   Kind Regards,   Blake Dournaee Senior Security Architect Sarvega, Inc.     From: von Neefe, Achim [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 10:03 AM To: '[EMAIL PROTECTED]' Cc: 'Blake Dournaee' Subject: RE: XML-Signature + canonicalization   Hi Blake,   thanks for your response.   Here are some additional concerns that were brought up during a conference call today.   1) It is possible to tamper with a message by inserting some kind of whitespace and still get the signature validated.   2) Problems with non-european Unicode character sets like japanese.   Did someone run into problems with these two issues? Are these known issues?   Achim -----Original Message----- From: Blake Dournaee [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 18:45 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; 'Girish Juneja' Subject: RE: XML-Signature + canonicalization Hello Achim,   I think it would be fair to say that when XML Signature was just maturing most of the implementation details that caused trouble had to do with one form of canonicalization or another. If you add to this the additional exclusive canonicalization routine, the picture does get a bit confusing.   Fortunately, the standard is matured and has come a long away. There was an extensive interoperability event a few years ago for XML Signature itself and 2 interoperability events for WS-Security, which uses XML Signature + Exclusive Canonicalization. I would make the argument that while canonicalization can be tricky to get right, many implementations have done this and they all work fine together.   The link to the original XML Signature interoperability event can be found here:   http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html     As for large files, I would say that you have to weigh the benefits of XML Signature versus a binary format. It is true that XML Signature is an expensive operation, but done with the right tools it is possible to sign (and canonicalize) large XML documents (50MB or bigger) at wire-speed. You have to look at your specific driving requirements for XML Signatures - it isn't always best to choose the latest and greatest format if you have no need for it brings to the table.   Kind Regards,   Blake Dournaee Senior Security Architect Sarvega, Inc.         From: von Neefe, Achim [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 1:34 AM To: '[EMAIL PROTECTED]' Subject: XML-Signature + canonicalization   Hi all, I apologize if this is not the right forum for the following questions. One of our partners intended to use XML-Signature, but now claims that there are too many interoperability problems with the canonicalization algorithm. Can someone share her/his experience in that area? We intend to also use XML-Signature for potentially large files. Does someone have experience with the performance behaviour as the file size increases? Is there a degeneration due to the cost of canonicalization? Thanks, Achim -------------------------------------------------------------- T-Mobile International Achim von Neefe - Mobile Payment Solutions - Landgrabenweg 151 D-53227 Bonn Tel.: +49 228 936 37448 Email: [EMAIL PROTECTED]e.de Internet: www.t-mobile-international.com