This implementation report is intended to demonstrate fulfillment of the Candidate Recommendation Exit Criteria for Canonical XML 1.1:
- Test documents must have been developed with a range of usages of attributes in the XML namespace, and correct and compatible results shown for these tests by at least two implementations.
- A minimum of three months of the CR period must have elapsed.
-- Canonical XML 1.1, W3C Candidate Recommendation 21 June 2007
Canonical XML 1.1 differs from Canonical XML 1.0 in the handling of
attributes in the xml
namespace when document subsets are
canonicalized. All tests were performed within the context of implementations
of the XML Signature specification (see detailed
description of test case setup), using an XPath transform to identify the
signed document subset, and Canonical XML 1.1 to canonicalize it.
Testing was organized and performed by the members of the XML Security Specifications Maintenance Working Group. Five implementations participated in the testing. All five implementations submitted identical canonicalization results for all test cases.
The test cases covered the following xml
namespace
attributes:
xml:lang
and xml:space are "simple inheritable
attributes" in the sense of section
2.4, Canonical XML 1.1. They are covered by the test cases xmllang-1
to xmllang-4 and xmlspace-1 to xmlspace-4. See detailed
description of xml:lang test cases; detailed
description of xml:space test cases.
xml:id
is never copied to a different element. This
attribute is covered by the test cases xmlid-1 and xmlid-2. See detailed
description of xml:id test cases.
xml:base
requires a relatively complicated fix-up
algorithm. While there was general agreement on the desired results of
that algorithm, its specification was refined during the Candidate
Recommendation phase to improve specification clarity and address edge
cases. This refinement process happened in close coordination with the
participants in the interoperability testing.
The relevant test cases are: xmlbase-cc14n11spec-102, xmlbase-c14n11spec2-102, xmlbase-c14n11spec3-103, xmlbase-prop-1 to xmlbase-prop-7. These test cases are specifically intended to exercise those edge cases that were discovered during the Candidate Recommendation phase.
The XML Digital Signature package is bundled into IBM JREs that ship with IBM products or are downloaded for IBM systems. The XML Digital Signature package bundled into all IBM JREs at the Java 6.0 level or higher, and by special arrangement at earlier levels. It is a separate security provider, so would either need to be in the provider list in jre/lib/security/java.security or added programmatically at runtime. The C14N11 capability is currently (11 January, 2008) a technology preview that is not yet generally available.
Sun's XML Digital Signature implementation is an implementation of the standard JSR 105 API (Java XML Digital Signature API) and is included in Sun's JDK 6 and Application Server products. The C14N 1.1 implementation is not yet generally available but is targeted for future releases.
The XML Digital Signature package is part of Oracle Security Developer Tools which is part of Oracle's Fusion Middleware platform. The upcoming AS11R1 release of Fusion Middleware includes full support for C14N version 1.1 in addition to XML Signature, XML Encryption, XML Key Management, SAML and Web Services Security technologies. The XML Digital Signature functionality can be accessed using the industry standard JSR 105 APIs (by using the Oracle provider) or through the current OSDT XML Security APIs.
The upcxslib xml signature package runs on Java 1.4.2 or higher. It uses Sun's security provider within the JRE for basic cryptographic tasks. CN14N 1.1 is not generally available at present, but its incorporation is targeted for a near future.
The IAIK XML Security Toolkit (XSECT) is the successor of the IAIK XML Signature Library (IXSIL). XSECT 1.12 or higher is scheduled to ship in Q2/2008 and will contain the C14N 1.1 implementation. C14N 1.1 will be enabled in the default mode for signature creation and may be turned off by a configuration flag allowing for maximum flexibility. XSECT 1.12 will support all Java^(TM) versions since JDK 1.3.1 or higher.
None observed.