[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Normalizing and signing XML -- Xoxa

  • From: "G. Ken Holman" <gkholman@CraneSoftwrights.com>
  • To: Norman Gray <norman@astro.gla.ac.uk>
  • Date: Wed, 27 May 2015 21:57:45 -0400

Re:  Normalizing and signing XML -- Xoxa
At 2015-05-28 01:39 +0100, Norman Gray wrote:
Many thanks for your very thoughtful comments -- this is exactly the sort of pushback I was hoping to get from xml-dev folk.
I'm pleased! (though "push-back" to me has such a negative connotation; I was trying to be receptive to your ideas but felt compelled to comment where I was having difficulty)

I would only make one observation regarding your follow-up, which I think is crux. I could summarize this as the massaging of content.

Where this 'Xoxa' approach scores is I think in two places:

* The 'Xoxa' equivalence class of documents is larger than for XML C14N. This is not a disadvantage, and I return to it below.
But this gets me very nervous, and I'm glad you included an example.

This 'Xoxa' procedure implies a larger equivalence class than the C18N one. Two documents such as '<p>one two&amp;</p>' and '<p>one \n\r two&#26;</p>' will have different infosets but the same Xoxa canonicalisation.
They have different infosets because there is different information in the two documents! The white-space is different, and like it or not, the relevance of white-space is up to sender and receiver, not to the tools they use. (I'll omit the accidental typo of the numeric character reference being incorrect :{)})

Now the two documents '<p>one two&amp;</p>' and '<p>one two&#x26;</p>' *are* equivalent, because the information therein is the same, they just happen to be expressed differently.

Remember that canonicalization is not only used for digital signatures. I would use canonicalization to know that two documents are identical in the information they serialize, independent of the choices made in the syntax of the two serializations.

* In many cases this won't matter. One might even guess that most XML applications (for some value of 'most') will try hard to normalise those differences away. At any rate, this approach would only apply to that (important) subset of applications where this doesn't matter.
But what process determines that it does nor does not matter? An arm's length digital signature specification would surely have to be agnostic on content while providing consistent results.

Xoxa normalizes that subset
But it should not normalize *content* ... it should be agnostic to content and normalize only the representation. I believe that is what canonicalization does: I understand that it normalizes the representation of the information without changing the information one iota.

Hence its applicability in comparing two XML documents, and in applications where the content of a document (not the representation of the document) has to be digitally signed.

Good luck in your continued explorations!

. . . . . . . Ken


--
Check our site for free XML, XSLT, XSL-FO and UBL developer resources |
Free 5-hour lecture: http://www.CraneSoftwrights.com/links/video.htm |
Crane Softwrights Ltd. http://www.CraneSoftwrights.com/m/ |
G. Ken Holman mailto:gkholman@CraneSoftwrights.com |
Google+ profile: http://plus.google.com/+GKenHolman-Crane/about |
Legal business disclaimers: http://www.CraneSoftwrights.com/legal |


---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.