[
Lists Home |
Date Index |
Thread Index
]
> Is it not time to update the XML canonicalization specification?
Why do you need canonicalization? The most common use is for security,
where c14n is necessary for digital signatures. If you are signing
something, then you must sign both the XML document, and the associated
schema. If you don't sign the schema, then the recipient (or an
adversary) can change the schema and your signature will be "broken."
For example, if a conference requires a digitally signed submission
(because it includes, say, intellectual property issues), and they
validate submissions against a DTD, or RNG, or whatever, then your
signed submission better cover the schema or your academic competitor
could get your submission invalidated.
DTD's are different from other XML Schema languages in that they can be
embedded in the XML document. Therefore, stripping out the DTD and
expanding it in-line is sensible and efficient. (It also doesn't
require us to define DTD c14n.) And, of course, SOAP outlaws DTD's.
In other words, for security reasons, DTD's are treated special because
they are special, and in cases where they aren't, it's a matter for the
DSIG spec, not the c14n specs.
Make sense?
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|