[gtld-tech] [tmch-tech] Test SMDs files now available

James Mitchell james.mitchell at ausregistry.com.au
Wed Aug 7 14:40:54 UTC 2013


It appears your problem is related to signature verification changes we noticed in the recent java 7u25 update. We observed that by not using a validating parser, id uniqueness could not be guaranteed, which resulted in signature verification failures for security reasons. Our solution was to bind the <signedMark> element's id to the validating context, seemingly equivalent to 3) xmlAddID of section 3.2 of http://www.aleksey.com/xmlsec/faq.html.

Implementors who are yet to update to the latest java version, or are having trouble doing so, may find the last comment of http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8017171 useful.

I too am interested in knowing the libraries used by the TMCH to generate SMD signatures.

James Mitchell / Product Owner
ARI Registry Services

From: Mike O'Connell <mcanix at gmail.com<mailto:mcanix at gmail.com>>
Date: Wednesday, 7 August 2013 10:47 PM
To: Francisco Obispo <fobispo at isc.org<mailto:fobispo at isc.org>>
Cc: "tmch-tech at icann.org<mailto:tmch-tech at icann.org>" <tmch-tech at icann.org<mailto:tmch-tech at icann.org>>, "gtld-tech at icann.org<mailto:gtld-tech at icann.org>" <gtld-tech at icann.org<mailto:gtld-tech at icann.org>>
Subject: Re: [tmch-tech] Test SMDs files now available

I'm also using the XMLSec and LibXML2 libraries and I'm just finishing off the verification of SMD signatures.

Slightly OT but the only issues I've encountered are around the 'id' attribute lacking the prescribed 'xml' prefix, I've had to adjust the invocation to XMLSec to get around the reference errors.

See section 3.2 of http://www.aleksey.com/xmlsec/faq.html and http://www.w3.org/TR/xml-id/ (dated 9 Sept 2005)

Two questions:

  1.  Has anyone else encountered this?
  2.  Which libraries is the TMCH using to generate the SMD signatures?

Kind regards,

Mike O'Connell


If you don't know where you are going, any road will get you there.

On 06 Aug 2013, at 12:34 AM, Francisco Obispo <fobispo at isc.org<mailto:fobispo at isc.org>> wrote:

I agree,

I do use XMLSEC and LibXML and have not yet encountered any problems, but I do see it as a source of possible problems, so the least data to be transferred the better.

On Aug 5, 2013, at 1:29 PM, "Gould, James" <JGould at verisign.com<mailto:JGould at verisign.com>> wrote:

It's actually a factor of the XML parser and the DSIG software, where based on my experience white space is  a factor for validation.  Troubleshooting validation issues is not a trivial task.  Removing the extra white space and carriage returns (pretty print) will reduce the size and reduce the risk of validation errors.

Francisco Obispo
Director of Applications and Services - ISC
email: fobispo at isc.org<mailto:fobispo at isc.org>
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gtld-tech/attachments/20130807/ecf5446e/attachment.html>

More information about the gtld-tech mailing list