Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] XML signatures and canonicalization

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] XML signatures and canonicalization


Chronological Thread 
  • From: Xavier Drudis Ferran <>
  • To:
  • Subject: Re: [OpenSAML] XML signatures and canonicalization
  • Date: Thu, 2 Apr 2009 16:33:38 +0200

On Thu, Apr 02, 2009 at 09:23:52AM -0500, Anil Saldhana wrote:
> The sender is modifying the assertion with white spaces after generating the
> signature. The receiver (Mitch) has received a signature and a modified
> assertion with white spaces.
>
> I think the discussion is about content that is already signed. We are
> saying you cannot modify it lest signature failure. :)
>

Yes, I understand it so.

Saying that you can add whitespace before signing is tautological
and irrelevant. You can do any sort of transformation before signing,
not just adding whitespace, you could duplicate every other XML
element with a name starting by F if you wanted, and then sign .

The only relevant discussion is what modifications are allowed
between signature and verification, and this (I'm not an expert)
is what canonicalization methods (or their equivalence classes)
define. You can do any modification between signing and
verification as long and the canonicalization result stays
the same as before your modification.

So it all boils down to : Is there a canonicalization that
ignores whitespace and/or pretty printing ? Not that I know.
You could define one but it wouldn't be standard, AFAIK.

But let someone knowledgeable answer.

--
Xavi Drudis Ferran




Archive powered by MHonArc 2.6.16.

Top of Page