Re[2]: [xmlsec] canonicalization and transcoding

Rich Salz rsalz@datapower.com
Sat, 29 Mar 2003 09:20:18 -0500 (EST)


Let me try.

The XML spec allows variations; for example, the ordering of attributes
doesn't matter.
        <a foo='bar' bar='foo'/>
and
        <a bar='foo' foo='bar'/>
are equivalent, *as far as XML is concerned.*

When you generate a document, you can make your output be in some "official"
order.  But you have no guarantee that if another XML program reads your
document and makes new output, that your original order will be preserved.

That is legal behavior.

For cryptography, however, an official ordering is needed; this is called
canonicalization, or C14N (count the letters... :).  It does things like
specify the order of attributes, specify an encoding, etc.  In short, it
picks "one way" to do everything where XML allows variations.  This is
important, so that the hash will always be the same, no matter which XML
software processes the document.

For portability, you should not rely on all programs keeping your XML
document in the same ordering, etc.  You should use an XML DSIG transform.
In particular, the standard XML C14N or XML Exclusive C14N.

Hope this helps.
        /r$