OpenSAML user discussion

[Xavier Drudis Ferran <>]

On Thu, Apr 02, 2009 at 09:23:52AM -0500, Anil Saldhana wrote:
> The sender is modifying the assertion with white spaces after generating the
> signature. The receiver (Mitch) has received a signature and a modified
> assertion with white spaces.
> 
> I think the discussion is about content that is already signed.  We are
> saying you cannot modify it lest signature failure. :)
> 

Yes, I understand it so. 

Saying that you can add whitespace before signing is tautological 
and irrelevant. You can do any sort of transformation before signing, 
not just adding whitespace, you could duplicate every other XML 
element with a name starting by F if you wanted, and then sign . 

The only relevant discussion is what modifications are allowed 
between signature and verification, and this (I'm not an expert) 
is what canonicalization methods (or their equivalence classes)
define. You can do any modification between signing and
verification as long and the canonicalization result stays
the same as before your modification. 

So it all boils down to : Is there a canonicalization that 
ignores whitespace and/or pretty printing ? Not that I know. 
You could define one but it wouldn't be standard, AFAIK. 
 
But let someone knowledgeable answer. 

-- 
Xavi Drudis Ferran