Mike Haller wrote:
i don't know why Canonicalization doesn't address this problem at all.
It sounds like being incomplete to me. One the one hand, there is taken
effort to "normalize" the XML document so it can be signed to
avoidproblems with formattings - on the other hand something simple like
newlines isn't addressed. I don't understand it.
It's because newline handling is undefined. Some applications add
NL/TAB, others add NL/Space etc.
If the canonicalisation was *only* performed on the <SignedInfo/>
element, then removing or adding this stuff would be fine, but the C14n
algorithm is also applied to end user XML, so we can't know whether NLs
have meaning.
Any characters in a TEXT node within an XML document potentially have
meaning to processors of that XML. As an example - what about if my XML
doc is to be processed through XML to get to an output that (in order to
be human readable) requires New Lines. To go further - what if removing
a new-line from that text changes the meaning in such a way as to
invalidate the purpose of the document (thus making the signature fairly
irrelevant).
You're right - it's not pretty - but it's an unfortunate side effect of
the fact that an XML processor can't know whether New lines were added
for a reason or just for pretty-printing.
Cheers,
Berin
