Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 3045 invoked from network); 26 Jan 2006 01:49:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 26 Jan 2006 01:49:08 -0000 Received: (qmail 23724 invoked by uid 500); 26 Jan 2006 01:49:07 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 23706 invoked by uid 500); 26 Jan 2006 01:49:07 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 23695 invoked by uid 99); 26 Jan 2006 01:49:07 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jan 2006 17:49:07 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [128.146.216.134] (HELO defang20.it.ohio-state.edu) (128.146.216.134) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jan 2006 17:49:06 -0800 Received: from bytor (krc-ras15.oitlan.oit.ohio-state.edu [128.146.156.216]) by defang20.it.ohio-state.edu (8.13.1/8.13.1) with ESMTP id k0Q1mjxa025821 for ; Wed, 25 Jan 2006 20:48:45 -0500 From: "Scott Cantor" To: Subject: RE: base64 elements linebreak Date: Wed, 25 Jan 2006 20:48:45 -0500 Organization: The Ohio State University Message-ID: <001401c6221a$a4b2e780$6501a8c0@oit.ohiostate.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-index: AcYiFMU2Kik03O/OSpqs69fh5nWlIwAA/AYw In-reply-to: <20060126010615.25073.qmail@web36705.mail.mud.yahoo.com> X-Spam-Score: undef - spam scanning disabled X-CanItPRO-Stream: outbound X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.12 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N > So, for example, if the original base64 encoded data > comes through SMTP, we will have to decode and encode > it again if we have to put the same value in an XML? No, precisely the opposite. Anything you get that's legal base64, whatever the line length, is "legal" XML, and moreover is valid with respect to the rules for base64Binary in XSD. So saying that it should look a certain way is only advisory. In other words, xmlsec producing the line feeds is legal. That's all I was trying to say. Requiring them would not be, obviously. I must have said something that confused you or that I didn't say clearly. I wasn't trying to argue anything else. > What I am driving at is that having new lines in > base64 encoded data is not restricted by any spec - in > fact it is deemed necessary by at least one spec. > And also that you can make your decoder flexible by > checking and setting the flag as I mentioned earlier. Sure. All I was saying in the thread was that one reason why the linefeeds were useful was because that flag was either not known, not implemented, etc, so without them, using OpenSSL's decoder was a problem. And the workaround was to not use OpenSSL's decoder, which is really the better solution...yeah, the flag's there, but why bother when you can just do it in one pass without examining the data first? > But normalization is a real problem for signature > validation, as you mentioned earlier - looks like > whitespace facet for signed content must always be > preserve - particularly if you have schema validators > before signature verification. Correct, and of course this isn't allowed by XSD, which requires collapse for base64Binary. So you have to turn the normalization off to get it to work. In practice, what makes things tend to work is that schema validation and signature-oriented applications aren't all that overlapping in practice, something I had to learn the hard way. -- Scott