santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Da Cruz Pinto, Juan M" <juan.m.da.cruz.pi...@intel.com>
Subject RE: c14n & PSVI
Date Thu, 24 May 2007 14:11:24 GMT
Scott,

Thanks for your answer!

I know that the c14n specs say that if a DTD is present, and there are
default attributes for a given element, these attributes must be added
before canonicalizing the document.
Anyway, I wouldn't expect to see a SOAP message with an attached DTD,
but I'll check this.

Thanks!
--Marcelo

 
-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Wednesday, May 23, 2007 12:29
To: security-dev@xml.apache.org
Subject: RE: c14n & PSVI

> -          Does the library consider PSVI (Post-Schema Validation
Infoset)
> information, or just the plain DOM (as an input for c14n)?

C14n is defined around the basic XML spec itself, it's not really
infoset or
DOM-based IMHO.

> -          How does c14n deal with default attributes as a result of
> previous schema validation?

C14n does not know anything about schema validation and cannot include
default attributes, at least not XSD stuff. I think it may operate in
awareness of DTDs, not sure about that.

> o        My guess is that c14n uses just what it gets; it does not
force
> you to apply schema validation before c14n, but again... I'm not sure

It not only doesn't force it, it's separate from it.

> o        In my experience with WS-Security, usually you don't do any
> schema validation before signature verification, but I'm not sure how
does
> it work for plain XML Signature.

One reason people don't do it is that it's hard to do safely and avoid
corrupting the signature because there are no standard transforms that
compensate for schema validation. I believe IBM proposed one at some
point
but it never went anywhere because people just stopped validating.

-- Scott

Mime
View raw message