[Standards] XMPP and W3C Digital Signature Specification

[David Waite]

On Fri, Apr 4, 2008 at 9:50 PM, Peter Saint-Andre <stpeter at stpeter.im>
wrote:
>
> Who is "we"? Do you have multiple implementations in different
> codebases? One of the major concerns I have heard with XML dsig is
> interoperability (e.g., I have heard reports about serious interop
> problems with SAML). In particular, I have heard that canonicalization
> ("c14n") has caused interop problems, since different people interpret
> c14n differently (and there are 3 or 4 different c14n methods!).


XML dsig generally has interoperability issues on usage, not in
implementations. That said, its a brutally complex specification to
implement and there are only four software implementations I can think of
off-hand (apache's java and C++ impls, Microsoft's C# implementation, and
libxml2/libxmlsec1).

The more significant issue is that there is no guarantee that even modern
Jabber protocol and XMPP implementations will not mess up XML in a way that
breaks canonicalization. Server to Server traffic will munge up the
namespace of the stanzas (from jabber:client to jabber:server), technically
breaking a signature over any element in the jabber:client namespace, albeit
temporarily.

If an implementation reduces a stanza to a representation that isn't an
infoset-compatible DOM its likely that it will reassemble the XML after
routing in a way that would break signatures that aren't in the precise
order given. Also note that every server implementation that supports S2S,
for the changing namespace reason, would require some custom DOM or custom
XML serialization engine that goes outside of what has been standardized by
the W3C.