XML-Dsig
Links:
http://www.w3.org/2005/Security/xmlsig-charter
A page for discussing potential enhancements to XML-DSig 1.0 based on user experience or other standards / technology evolution
List of enhancements
Relevant mailing Lists:
(just a place holder for the moment)
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/
http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/
- [C14N/1.1]
http://www.w3.org/2006/04/c14n-note/
After issuing C14n 1.1 there is a need to update Exclusive XML Canonicalization http://www.w3.org/TR/xml-exc-c14n/
- Relation of C14n 1.1 to XML 1.1
http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Feb/0018.html
http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Feb/0008.html
http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Mar/0002.html
Quote: Paul asks why we are trying to define the relationship of C14N 1.1 with XML 1.1 when C14N 1.0 doesn't have a relationship with XML 1.1, and all we were trying to do is fix the problem with xml:id. The WG isn't eager to try to solve these other issues in C14N 1.1. http://lists.w3.org/Archives/Public/public-xml-core-wg/2007Apr/0003.html
- http://lists.w3.org/Archives/Public/public-xml-core-wg/2006Dec/0043.html
- [XPath Filter 2.0]
- [Default algorithms]
- [Supported cryptographic algorithms]
- RFC 4051
- FIPS186-3 DSA with stronger Hash Functions (2006/10 still a Draft)
- RSA-PSS (added in version 2.1 of PKCS #1)
- [Backwards compatiblity between c14n/1.1 and c14n/1.0]
- xml:id processing: xml:id
[<a href="#XMLID">XMLID</a>] is an ID attribute in an XML
document. Copying an ID attribute from one element to another one is
always wrong behavior. Applications that encounter xml:id
attributes
that would need to be copied around by a conforming implementation of
Canonical XML 1.0 hence experience an error condition. Problem could
be caught by implementations of XML Signature that are xml:id
aware
always doing duplicate ID checking.
- [XMLDSig Issues]
A related problem appears when derferencing the fragment-only
URI-Reference (URI="#some-fragment"
) of
XML Signature [<a href="#XMLDSIG">XMLDSIG</a>] <ds:Reference>s
in combination with xml:base
. In particual It is not
clear whether such a reference is to be dereferenced according to
<a href="http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel">
XML Signature Reference Processing Model</a> as node-set-data or octet stream.
This is unclear because XML Signature [<a href="#XMLDSIG">XMLDSIG</a>] is
quiet about (xml:base
).
- [Perfomance issues and solutions]
- streaming processing
- [Robustness of XML digital Signatures]
- indention
- ignoreable whitespace (empty text nodes)
- schema datatype normalization
- define new URIs for a parsing Transform (E.g http://www.w3.org/2000/09/xmldsig#Parse)
List of pages in this category: