OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Canonicalizer that uses XML Schemas (rather than DTDs)?

[ Lists Home | Date Index | Thread Index ]

> Is it not time to update the XML canonicalization specification?

Why do you need canonicalization?  The most common use is for security, 
where c14n is necessary for digital signatures.  If you are signing 
something, then you must sign both the XML document, and the associated 
schema.  If you don't sign the schema, then the recipient (or an 
adversary) can change the schema and your signature will be "broken." 
For example, if a conference requires a digitally signed submission 
(because it includes, say, intellectual property issues), and they 
validate submissions against a DTD, or RNG, or whatever, then your 
signed submission better cover the schema or your academic competitor 
could get your submission invalidated.

DTD's are different from other XML Schema languages in that they can be 
embedded in the XML document.  Therefore, stripping out the DTD and 
expanding it in-line is sensible and efficient.  (It also doesn't 
require us to define DTD c14n.)  And, of course, SOAP outlaws DTD's.

In other words, for security reasons, DTD's are treated special because 
they are special, and in cases where they aren't, it's a matter for the 
DSIG spec, not the c14n specs.

Make sense?


Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS