XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Normalizing and signing XML -- Xoxa
Ken, hello.

> On 2015 May 28, at 02:57, G. Ken Holman <gkholman@CraneSoftwrights.com> wrote:
> 
> At 2015-05-28 01:39 +0100, Norman Gray wrote:
>> Many thanks for your very thoughtful comments -- this is exactly the sort of pushback I was hoping to get from xml-dev folk.
> 
> I'm pleased!  (though "push-back" to me has such a negative connotation; I was trying to be receptive to your ideas but felt compelled to comment where I was having difficulty)

Oh dear, I didn't think 'pushback' was negative.  A bit of friction is necessary to stop an idea skidding off out of control.

You raise an interesting point here.

>>  * In many cases this won't matter.  One might even guess that most XML applications (for some value of 'most') will try hard to normalise those differences away.  At any rate, this approach would only apply to that (important) subset of applications where this doesn't matter.
> 
> But what process determines that it does nor does not matter?  An arm's length digital signature specification would surely have to be agnostic on content while providing consistent results.

and

>> Xoxa normalizes that subset
>> 
> But it should not normalize *content* ... it should be agnostic to content and normalize only the representation.  I believe that is what canonicalization does:  I understand that it normalizes the representation of the information without changing the information one iota.

This is an important issue.

Any canonicalization defines an equivalence class.  The Gutmann (non-)canonicalization is an extreme case, where two documents are equivalent only if they're byte-for-byte the same.  The XML C18N one is certainly the most 'natural' for XML but larger in the sense of the number of documents which it deems equivalent (differing in XML-invisible ways such as quotes), and this 'Xoxa' one is larger still, including, for example, documents which differ in whitespace or how entities are expressed (this may be an upside or a downside depending on the application).

In any particular system, it will (or may, or should) be a design choice what set of documents are deemed equivalent.  

The C18N one is the most natural one, a priori, but is quite tricky or otherwise expensive to realise.  The Gutmann one is brittle, but simple to implement (and the project I was talking about before decided that was where its optimal trade-off was). The Xoxa one is pretty easy to specify and implement, while still representing a useful equivalence, and that I think is its virtue.

So perhaps your 'it should not normalise content' is too broad a statement -- sometimes, some content normalisation doesn't matter.  Certainly it's important that XML C18N exists, but the Xoxa approach is intended as an alternative rather than a replacement.

Thanks again.

Best wishes,

Norman


-- 
Norman Gray  :  http://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS