shibboleth-dev - RE: [Shib-Dev] Canonicalization issue with signed SWITCH Shibboleth metadata
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Cc: "'Hämmerle Lukas'" <>, "'La Joie Chad'" <>
- Subject: RE: [Shib-Dev] Canonicalization issue with signed SWITCH Shibboleth metadata
- Date: Tue, 10 Jun 2008 09:05:20 -0400
- Organization: The Ohio State University
> It turned out that the problem was a difference in the way
> canonicalization was performed. The canonicalization used while signing
> the metadata is "http://www.w3.org/2001/10/xml-exc-c14n#WithComments";,
> which I assume means that the comments in the XML document should be
> included in the canonicalization. However, the digest value was
> calculated with comments removed.
Meaning you actually verified that the digest matches if you strip the
comments? It could also just be that the comments were added after signing
(not that that makes sense, but it's possible).
> Is this a bug in the way canonicalization is performed in Shibboleth,
> or have I misunderstood how this canonicalization should be done?
Shibboleth doesn't do this. That's lower-level code.
-- Scott
- Canonicalization issue with signed SWITCH Shibboleth metadata, Andreas Åkre Solberg, 06/10/2008
- RE: [Shib-Dev] Canonicalization issue with signed SWITCH Shibboleth metadata, Scott Cantor, 06/10/2008
- <Possible follow-up(s)>
- Canonicalization issue with signed SWITCH Shibboleth metadata, Andreas Åkre Solberg, 06/10/2008
Archive powered by MHonArc 2.6.16.