xml-xmlbeans-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Waite <m...@akuma.org>
Subject Re: xmlbeans xml security
Date Thu, 01 Jul 2004 21:21:08 GMT
We (the company I work for) already uses xmlbeans with xmlsec today; we  
just create a new DOM and sign that, then import the signature block  
back into the original xmlbeans message. Because the internal format is  
lossless, this works - as long as we explicitly declare all namespaces.

On the reverse side (verification) we again create a DOM and verify the  
signature off of it. We have a patch, as the v1 XmlBeans store does not  
have full infoset fidelity with respect to namespaces, in particular  
prefix information is lost. This is one patch of many on my plate to  
review and propose. :)

-David Waite

On Jul 1, 2004, at 1:13 PM, Noah Campbell wrote:

> I was looking at the xml-sec project for dsig.  They have a
> CanonicalizerBase class that is meant to facilitate the c14n.  see
> http://cvs.apache.org/viewcvs.cgi/xml-security/src/org/apache/xml/ 
> security/c14n/implementations/
> As assumed, they use the w3c dom for parsing and canonicalizing the
> element.  Our version could would use xmlbeans and simply plug in
> (knock on wood) and work.
>
> This is probably the first pass for a proof of concept and speed
> comparison.  I don't know if there are any benchmarks made already,
> but I can set up a harness for checking this.
>
> Noah
>
> On Thu, 01 Jul 2004 12:24:03 -0400, Joseph Hindsley
> <jhindsley@providerlink.com> wrote:
>>
>> Hey all,
>>
>> Forgive me for not keeping up with this thread and my general  
>> ignorance
>> of the whole topic, but when I was looking at XML signature a while
>> back, I got the impression that c14n was one of many transforms that
>> could be applied before the signing algorithm was applied. If you
>> included an XPath transform in your signature, for example, you could
>> limit the signature to only the elements specified in that XPath. Also
>> there was 2 forms of c14n Canonicalization transform mentioned (and
>> there may be others): Canonical XML and Exclusive Canonical XML
>> (http://www.w3.org/Signature/).
>>
>> I guess my questions are, why limit the implementation to only doing a
>> c14n transformation? Would it be possible to support transformations  
>> in
>> general? Or tie into a project that does that already?
>>
>> Joe Hindsley
>>
>>
>>
>>
>> On Thu, 2004-07-01 at 11:40, Eric Vasilik wrote:
>>> I think that that producing c14n from an XmlBean is within the scope  
>>> of
>>> XmlBeans.  Are there other aspects of security which would be
>>> appropriate?
>>>
>>> - Eric
>>>
>>>> -----Original Message-----
>>>> From: Ted Leung [mailto:twleung@sauria.com]
>>>> Sent: Wednesday, June 30, 2004 10:23 PM
>>>> To: xmlbeans-dev@xml.apache.org
>>>> Subject: Re: xmlbeans xml security
>>>>
>>>> David,
>>>>
>>>> There is already an XML Security project at xml.apache.org.  Is  
>>>> there
>>>> any
>>>> chance of combining efforts with those folks on this?
>>>>
>>>> Ted
>>>>
>>>> On Jun 30, 2004, at 10:04 AM, David Remy wrote:
>>>>
>>>>> David (Waite),
>>>>> I got the chance to meet with Noah Campbell for dinner Mon night at
>>>>> JavaOne and he expressed an interest in contributing in the are of
>>> xml
>>>>> security.  I wonder if we should start a sandbox in cvs with a
>>> security
>>>>> directory that we could use to start experimenting on xml security
>>> over
>>>>> xmlbeans.  Unless someone has an issue with that I will go ahead  
>>>>> and
>>> do
>>>>> it (specifically under xml-xmlbeans create a subdirectory called
>>>>> sandbox
>>>>> and then a security directory under it).
>>>>>
>>>>> Perhaps we should get started on an XML Sig implementation and see
>>> what
>>>>> hurdles we run into.  I *believe* at some point we are going to  
>>>>> want
>>> an
>>>>> option on the xml store to keep things in the store canonically so
>>> that
>>>>> the big c14n copy to create and validate signatures can be avoided.
>>> In
>>>>> the meantime though we could get started and therefore define any
>>>>> requirements that the store might get.
>>>>>
>>>>> It only makes sense to have a security implementation in xmlbeans  
>>>>> if
>>> we
>>>>> can take advantage of the xml store to improve efficiency,  
>>>>> otherwise
>>> we
>>>>> should leave it to apache xml sec ...
>>>>>
>>>>> rem
>>>>>
>>>>> -
>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
>>>>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
>>>>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
>>>>>
>>>> ----
>>>> Ted Leung                          Blog:  
>>>> <http://www.sauria.com/blog>
>>>> PGP Fingerprint: 1003 7870 251F FA71 A59A  CEE3 BEBA 2B87 F5FC 4B42
>>>>
>>>>
>>>> -
>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
>>>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
>>>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
>>>
>>>
>>> -  
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
>>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
>>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
>>
>> -  
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
>>
>>
>
> - ---------------------------------------------------------------------
> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
>


- ---------------------------------------------------------------------
To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/


Mime
View raw message