ACTION-170: Write about C14n and DTD processing

4.2.1 Processing of DTDs

It should also be noted in the context of proposed changes to the transform processing model that canonicalization/pre-hashing algorithms to be defined for XML Signature 2.0 are likely not to imply DTD validation and entity expansion. The choice and order of DTD resolution and entity expansion relative to signature creation and validation would thus fall to application workflow outside of core XMLDSIG. The change will introduce additional complexity for applications relying on entities, but entity expansion as a mandatory part of signature validation is incompatible with core requirements of XMLDSIG. For example, DTD processing makes time and resource requirements for core validation non-deterministic, introduces difficult-to-control resource resolution requirements and requires tight coupling between validators and signed content consumers to ensure they have the same view of DTDs.

The working group invites comments on this change and whether it would necessitate an additional, OPTIONAL, attribute or other declaration to indicate DTD validation and entity expansion prior to hashing (perhaps with the DTD itself mandatorily included as a reference in the same signature) to support common use cases in the community.