[Standards-JIG] The Great Encryption Debate

Ian Paterson ian.paterson at clientside.co.uk
Fri Aug 5 09:51:48 UTC 2005


One of the Open Issues for JEP-0116 is that the options in the Esession
negotiation MUST be signed.

David Waite wrote:
> I evaluated traditional xml 
> canonicalization with xml-security a while back, and came to 
> the conclusion that servers were not conformant enough to xml 
> for xmpp to be a safe/realistic transport of signed data, 
> unless that data was under some text encoding like base64.

Base64 encoding the XML would not be compatible with JEP-0155 (or very
Jabberish). Signing only the data in a specified order without the XML
would not be extensible.

The alternative is to require both entities to remove any white-space
between elements and convert the XML into some canonical form (probably
according to http://www.w3.org/TR/2001/REC-xml-c14n-20010315). This is
an extra complication for implementors, but I would expect it to work.

Do the XML libraries client developers are currently using typically
support standard canonicalisation?

David, what were the problems you found with servers?

- Ian




More information about the Standards mailing list