OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Normalizing and signing XML -- Xoxa

At 2015-05-28 01:39 +0100, Norman Gray wrote:
Many thanks for your very thoughtful comments -- this is exactly the sort of pushback I was hoping to get from xml-dev folk.
I'm pleased! (though "push-back" to me has such a negative connotation; I was trying to be receptive to your ideas but felt compelled to comment where I was having difficulty)

I would only make one observation regarding your follow-up, which I think is crux. I could summarize this as the massaging of content.

Where this 'Xoxa' approach scores is I think in two places:

* The 'Xoxa' equivalence class of documents is larger than for XML C14N. This is not a disadvantage, and I return to it below.
But this gets me very nervous, and I'm glad you included an example.

This 'Xoxa' procedure implies a larger equivalence class than the C18N one. Two documents such as '<p>one two&amp;</p>' and '<p>one \n\r two&#26;</p>' will have different infosets but the same Xoxa canonicalisation.
They have different infosets because there is different information in the two documents! The white-space is different, and like it or not, the relevance of white-space is up to sender and receiver, not to the tools they use. (I'll omit the accidental typo of the numeric character reference being incorrect :{)})

Now the two documents '<p>one two&amp;</p>' and '<p>one two&#x26;</p>' *are* equivalent, because the information therein is the same, they just happen to be expressed differently.

Remember that canonicalization is not only used for digital signatures. I would use canonicalization to know that two documents are identical in the information they serialize, independent of the choices made in the syntax of the two serializations.

* In many cases this won't matter. One might even guess that most XML applications (for some value of 'most') will try hard to normalise those differences away. At any rate, this approach would only apply to that (important) subset of applications where this doesn't matter.
But what process determines that it does nor does not matter? An arm's length digital signature specification would surely have to be agnostic on content while providing consistent results.

Xoxa normalizes that subset
But it should not normalize *content* ... it should be agnostic to content and normalize only the representation. I believe that is what canonicalization does: I understand that it normalizes the representation of the information without changing the information one iota.

Hence its applicability in comparing two XML documents, and in applications where the content of a document (not the representation of the document) has to be digitally signed.

Good luck in your continued explorations!

. . . . . . . Ken

Check our site for free XML, XSLT, XSL-FO and UBL developer resources |
Free 5-hour lecture: http://www.CraneSoftwrights.com/links/video.htm |
Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ |
G. Ken Holman mailto:gkholman@CraneSoftwrights.com |
Google+ profile: http://plus.google.com/+GKenHolman-Crane/about |
Legal business disclaimers: http://www.CraneSoftwrights.com/legal |

This email has been checked for viruses by Avast antivirus software.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS