[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: md5sum / sha1sum for XML?


sha1sum
On Fri, 2006-07-14 at 00:17 -0400, Richard Salz wrote:
> If you're sending XML from one place to another and it may be 'touched' by 
> one-or more XML processors, then you can't use md5sum,
I'm getting there Rich :-)

> 
> In order to deal with this, you should canonicalize the XML and then hash 
> that bytestream; this will give an identical digest value, even in the 
> face of those changes.  For the hashing, use SHA1.  For the 
> canonicalization use exclusive c14n, as it is more robust when your XML is 
> transported inside other XML (e.g., it becomes the body of a SOAP 
> message).

You don't mention any tools?
http://xml.apache.org/security/index.html seems to be what Sun refer to 
from their tutorial?



>   If you are always generating the XML, you might be able to make 
> some simplifying assumptions and come up with a simpler c14n mechanism; I 
> strongly suggest you avoid the temptation to do that.  If, in fact, you 
> use exc-c14n/sha1, you can probably leverage a large pool of bundled 
> and/or open source code, because those mechanisms are used in WS-Security 
> for generating a digital signature of a SOAP message; in essence you are 
> generating a <dsig:Reference> element of a standard XML digital signature, 
> as defined by W3C/IETF.

Makes me chuckle. W3C define it. Apache is the reference implementation!
Is that the way it should be?

> The second question, is how do you "protect" the digest value?  Are you 
> concerned about tampering along the way?  How do you currently protect 
> your md5sum values?  It may be enough to generate the XML digest and 
> send/store it the same way you do your md5sum value.  Or you might need to 
> go whole hog and use an XML signature.

And I thought I was cynical!
>From the little reading I've done so far xml sig uses public private
key pairs which address your latter point?

The sketch seems to be coming out as:
  produce the ExclC14N ( my case would be ignore ns's).
  Add the xml-sig 'bit' to the xml file.

Now where's the bit that let's me avoid https,
i.e. just encrypt the lot at the application layer without having
to mess with changing layers, and ship it over http.
Is it there somewhere Rich? 





> 
-- 
Regards, 

Dave Pawson
XSLT + Docbook FAQ
http://www.dpawson.co.uk


PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.