Re: [xmlsec] xmlsec and performing canonicalization by default

Thu, 23 Apr 2009 12:08:41 -0700 

I've sent you the spec. Please, read the c14n part and what
the signature generator should do when c14n transform is missing.

Aleksey

Shlomo Yona wrote:

Hello, Aleksey.


Thanks for your reply.


Let’s consider the following case:
Request - Content arrives already canonicalized, and the signed content is not changed between the sender and recipient by intermediaries.
Response – Content arrives for server not-canonicalized, signed and sent without canonicalizing it.
Canonicalization is only relevant for signature generation/verify, not for encryption/decryption. 


*W3C digital signature spec*

When signing, there are two levels of calculation:
1. Calculate digest of selected referenced sections of the document (could be any section of the document).
2. Calculate digest on resultant SignedInfo element that contains the Reference elements, containing the details of the referenced sections along with their calculated digest value, and details on how the SignedInfo digest and signature calculated.
In (1), canonicalization can be specified using a Transform element, but it is **optional**.
In (2), CanonicalizationMethod is **mandatory**, but it is specified **only for the SignedInfo element**.
So, you see, I wonder why xmlsec performs the canonicalization even when transform is not explicitly listed in the content (thus canonicalization is not mandatory)? 


Thank you for your help.


Shlomo

------------------------------------------------------------------------
*FROM: Aleksey Sanin* aleksey at aleksey.com <mailto:xmlsec%40aleksey.com?Subject=%5Bxmlsec%5D%20xmlsec%20and%20performing%20canonicalization%20by%20default&In-Reply-To=D3EAD5A419F7AA45AC864B43E1BF6D0F607EA602E7%40exch11.olympus.f5net.com>/Thu Apr 23 08:34:47 PDT 2009/ 


http://www.w3.org/TR/xmldsig-core/


Aleksey


Shlomo Yona wrote:


/ Hello,/



/ /



/  /



/ /



/ It seems that xmlsec performs canonicalization (c14n) by default when /



/ verifying signatures even when the input message contains no transform /



/ element (dsig spec doesn’t require a transform element)./



/ /



/  /



/ /



/ Why?/



/ /



/  /



/ /



/ Is this behavior intentional?/



/ /



/  /



/ /



/ Thank you./



/ /



/  /



/ /



/ Shlomo/



------------------------------------------------------------------------

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to