ISSUE-51: Effects of schema normalization on signature verification

schema normalization

Effects of schema normalization on signature verification

State:
CLOSED
Product:
XML Security 1.1 Requirements and Design Considerations
Raised by:
Scott Cantor
Opened on:
2008-09-02
Description:
Part of schema validation typically involves enforcing data type "correctness" for element content when elements are declared with a simple type. The rules for this check involve the use of the "schema normalized value", which allows things like whitespace to be modified in order to produce a value suitable to check for type correctness.

At least one reference in the XML Schema 1.1 specification is here:
http://www.w3.org/TR/xmlschema-1/#e-schema_normalized_value

The XSD data type documentation describes the rules for canonicalizing lexical values to produce the "schema normalized value". For example, leading and trailing whitespace is often removed.

These DOM changes are usually destructive to signature verification. Implementations have worked around this problem by simply ignoring normalization, allowing it to be selectively disabled, or even storing both the original and the normalized values in the DOM.

The most "correct" way of dealing with this is via an XML Signature Transform that forces the signer and verifier to apply these normalization rules consistently. IBM proposed such a transform several years ago, but it hasn't seen much uptake, partly because achema validation in general has mostly seen limited use in signature applications because of these problems.
Related Actions Items:
Related emails:
  1. Draft minutes for Jul 28 (from cantor.2@osu.edu on 2009-07-28)
  2. 2009-03-31 Minutes for Approval (from edsimon@xmlsec.com on 2009-04-03)
  3. Agenda: Distributed Meeting 2009-03-31 (from frederick.hirsch@nokia.com on 2009-03-30)
  4. Agenda: Distributed Meeting 2009-03-24 v2 (resend) (from frederick.hirsch@nokia.com on 2009-03-23)
  5. Agenda: Distributed Meeting 2009-03-24 v2 (from Frederick.Hirsch@nokia.com on 2009-03-23)
  6. Agenda: Distributed Meeting 2009-03-24 (resend) (from Frederick.Hirsch@nokia.com on 2009-03-22)
  7. Agenda: Distributed Meeting 2009-03-24 (from Frederick.Hirsch@nokia.com on 2009-03-22)
  8. Agenda: Distributed Meeting 2009-03-17 (resend) (from frederick.hirsch@nokia.com on 2009-03-11)
  9. Agenda: Distributed meeting 2009-03-17 (from Frederick.Hirsch@nokia.com on 2009-03-11)
  10. Requirements as Issues (XML Signature and Canonicalization V Next Requirements) (from gerald.edgar@boeing.com on 2009-03-09)
  11. Agenda: Distributed meeting 2009-01-27 v3 (from frederick.hirsch@nokia.com on 2009-01-27)
  12. Agenda: Distributed meeting 2009-01-27 v2 (from frederick.hirsch@nokia.com on 2009-01-26)
  13. Draft minutes: xmlsec face-to-face 14 January 2009 (from tlr@w3.org on 2009-01-22)
  14. Action: A need to address requirements listed as Issues (from gerald.edgar@boeing.com on 2008-09-22)
  15. Agenda: Distributed meeting #6 2008-09-09 v2 (from frederick.hirsch@nokia.com on 2008-09-09)
  16. Agenda: Distributed meeting #6 2008-09-09 (corrected subject) (from frederick.hirsch@nokia.com on 2008-09-05)
  17. Agenda: Distributed meeting #5 2008-09-09 (from frederick.hirsch@nokia.com on 2008-09-05)
  18. ISSUE-51 (scantor): Effects of schema normalization on signature verification [Rqmts (XML Signature and Canonicalization V Next Requirements)] (from sysbot+tracker@w3.org on 2008-09-02)

Related notes:

For 1.x, dealt with in the best practices document.

May influence design of 2.x.

Thomas Roessler, 6 Apr 2009, 13:43:57

Display change log ATOM feed

Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 51.html,v 1.1 2017/01/10 16:24:52 carine Exp $