Hello, Aleksey. Thanks for your reply.
Let's consider the following case: Request - Content arrives already canonicalized, and the signed content is not changed between the sender and recipient by intermediaries. Response - Content arrives for server not-canonicalized, signed and sent without canonicalizing it. Canonicalization is only relevant for signature generation/verify, not for encryption/decryption. W3C digital signature spec When signing, there are two levels of calculation: 1. Calculate digest of selected referenced sections of the document (could be any section of the document). 2. Calculate digest on resultant SignedInfo element that contains the Reference elements, containing the details of the referenced sections along with their calculated digest value, and details on how the SignedInfo digest and signature calculated. In (1), canonicalization can be specified using a Transform element, but it is *optional*. In (2), CanonicalizationMethod is *mandatory*, but it is specified *only for the SignedInfo element*. So, you see, I wonder why xmlsec performs the canonicalization even when transform is not explicitly listed in the content (thus canonicalization is not mandatory)? Thank you for your help. Shlomo ________________________________ FROM: Aleksey Sanin aleksey at aleksey.com <mailto:xmlsec%40aleksey.com?Subject=%5Bxmlsec%5D%20xmlsec%20and%20performing%20canonicalization%20by%20default&In-Reply-To=D3EAD5A419F7AA45AC864B43E1BF6D0F607EA602E7%40exch11.olympus.f5net.com> Thu Apr 23 08:34:47 PDT 2009 http://www.w3.org/TR/xmldsig-core/ Aleksey Shlomo Yona wrote: > Hello, > > > > It seems that xmlsec performs canonicalization (c14n) by default when > verifying signatures even when the input message contains no transform > element (dsig spec doesn't require a transform element). > > > > Why? > > > > Is this behavior intentional? > > > > Thank you. > > > > Shlomo
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
