ISSUE-51: Effects of schema normalization on signature verification
schema normalization
Effects of schema normalization on signature verification
- State:
- CLOSED
- Product:
- XML Security 1.1 Requirements and Design Considerations
- Raised by:
- Scott Cantor
- Opened on:
- 2008-09-02
- Description:
- Part of schema validation typically involves enforcing data type "correctness" for element content when elements are declared with a simple type. The rules for this check involve the use of the "schema normalized value", which allows things like whitespace to be modified in order to produce a value suitable to check for type correctness.
At least one reference in the XML Schema 1.1 specification is here:
http://www.w3.org/TR/xmlschema-1/#e-schema_normalized_value
The XSD data type documentation describes the rules for canonicalizing lexical values to produce the "schema normalized value". For example, leading and trailing whitespace is often removed.
These DOM changes are usually destructive to signature verification. Implementations have worked around this problem by simply ignoring normalization, allowing it to be selectively disabled, or even storing both the original and the normalized values in the DOM.
The most "correct" way of dealing with this is via an XML Signature Transform that forces the signer and verifier to apply these normalization rules consistently. IBM proposed such a transform several years ago, but it hasn't seen much uptake, partly because achema validation in general has mostly seen limited use in signature applications because of these problems.
- Related Actions Items:
ACTION-173 on Scott Cantor to Draft some text in response to ISSUE-51 - due 2009-01-21, closed- Related emails:
- Draft minutes for Jul 28 (from cantor.2@osu.edu on 2009-07-28)
- 2009-03-31 Minutes for Approval (from edsimon@xmlsec.com on 2009-04-03)
- Agenda: Distributed Meeting 2009-03-31 (from frederick.hirsch@nokia.com on 2009-03-30)
- Agenda: Distributed Meeting 2009-03-24 v2 (resend) (from frederick.hirsch@nokia.com on 2009-03-23)
- Agenda: Distributed Meeting 2009-03-24 v2 (from Frederick.Hirsch@nokia.com on 2009-03-23)
- Agenda: Distributed Meeting 2009-03-24 (resend) (from Frederick.Hirsch@nokia.com on 2009-03-22)
- Agenda: Distributed Meeting 2009-03-24 (from Frederick.Hirsch@nokia.com on 2009-03-22)
- Agenda: Distributed Meeting 2009-03-17 (resend) (from frederick.hirsch@nokia.com on 2009-03-11)
- Agenda: Distributed meeting 2009-03-17 (from Frederick.Hirsch@nokia.com on 2009-03-11)
- Requirements as Issues (XML Signature and Canonicalization V Next Requirements) (from gerald.edgar@boeing.com on 2009-03-09)
- Agenda: Distributed meeting 2009-01-27 v3 (from frederick.hirsch@nokia.com on 2009-01-27)
- Agenda: Distributed meeting 2009-01-27 v2 (from frederick.hirsch@nokia.com on 2009-01-26)
- Draft minutes: xmlsec face-to-face 14 January 2009 (from tlr@w3.org on 2009-01-22)
- Action: A need to address requirements listed as Issues (from gerald.edgar@boeing.com on 2008-09-22)
- Agenda: Distributed meeting #6 2008-09-09 v2 (from frederick.hirsch@nokia.com on 2008-09-09)
- Agenda: Distributed meeting #6 2008-09-09 (corrected subject) (from frederick.hirsch@nokia.com on 2008-09-05)
- Agenda: Distributed meeting #5 2008-09-09 (from frederick.hirsch@nokia.com on 2008-09-05)
- ISSUE-51 (scantor): Effects of schema normalization on signature verification [Rqmts (XML Signature and Canonicalization V Next Requirements)] (from sysbot+tracker@w3.org on 2008-09-02)
Related notes:
For 1.x, dealt with in the best practices document.
May influence design of 2.x.
Display change log