santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mingfa Ma" <mingfa...@deepnetsecurity.com>
Subject XML canonicalization
Date Thu, 06 Jun 2013 15:29:53 GMT
Hi, Guys,

 

I have a fight with F5 on SAML authentication, and I have narrowed it
down to XML canonicalization. Please check the link for the data

 

http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip-
part-3.html

 

Now I got their response which put me in the dark, as I have no
knowledge on C14N.

 

Do you admit Apache Santuario was wrong on XML canonicalization?

 

Many thanks,

 

Mike Ma

 

"

After analyzing the data, PD has determined that APM is using "exclusive
canonicalization" and Apache Santuario just "canonicalization"

 

F5 is doing exclusive canonicalization which is right and Apache
Santuario is doing just Canonicalization even though it says it is doing
exclusive canonicalization from the Assertion content.

 

>From : http://www.w3.org/TR/xml-exc-c14n/

 

namespace nodes that are not on the InclusiveNamespaces PrefixList are
expressed only in start tags where they are visible and if they are not
in effect from an output ancestor of that tag.

 

From: http://www.w3.org/Signature/2002/02/01-exc-c14n-interop.html

 

The first occurence of a namespace node occurs on elements nodes where
it is actually utilzied.

 

In the case of F5: 

the name space declaration for "xmlns:ds" is added for Signature element
and that is where it is used first.

the name space declaration for 'xmlns:saml' is added to 'Assertion'
element and that is where it is used first.

"

 


Mime
View raw message