Article:		XML Canonicalization
Subject:		Need clarification
Date:		2002-09-20 11:33:19
From:		Charlie Kaiman
I'm afraid I'm a bit confused. If I have an important document that needs to be sent over the wire and verified bit-by-bit, why does it matter what format it is in? How is it any more difficult to verify a non-canonicalized XML document than a canonicalized form? I can understand that it might mean more bits to verify in the non-canonicalized format, but I don't understand why canonicalization makes the transaction any more secure? In other words, is there a clear, concise reason that an XML document MUST be canonicalized, if it is to be considered secure? Or is it just preferable to have a canonicalized version?

Previous Message

Next Message

• Re: Need clarification
  2002-09-20 13:04:29 Richard Hough
  
  XML is a markup language for data; it describes data. If you care about data and not the way it is marked up then you need canonical XML because there are multiple ways to mark up the same data.

  
  When you say "verified bit-by-bit", do you mean you want to verify the data in two documents are identical? Then you need to put them in canonical form because two documents with the exact same data can have different bits.

  
  If, on the other hand, you want to verify the data in two documents has been marked up identically then you *must not* put them in canonical format, because that strips away differences in markup.

  
  "Security" is a separate issue; but you would want to canonicalize a document if you want to verify the *data* in the document, and not the way that data was marked up. If you don't do that two documents with absolutely identical data but different markup would not verify because their bits are different.