XML canonicalization question

Christopher Bongaarts cab at umn.edu
Tue Apr 28 12:17:43 EDT 2020

Hopefully Scott or Brent can lend a virtual ear to this one:

We have a vendor that is having trouble verifying the signature on our 
IdP's responses.  They say their digest value over the response differs 
from the one in the signature (so presumably the keys are not in play 
here, just the digest process).

They claim the signature matches if they replace shorthand close tags 
with full closing tags, and remove the xmlns:xsd namespace declarations 
from the AttributeValue elements, prior to calculating the digest.

To me it seems like that is what the exclusive canonicalization step is 
supposed to be doing already. The close tags are obvious. My question is 
more to confirm my understanding around the namespace declaration.  The 
exc-c10n process is supposed to eliminate namespace declarations that 
are not "visibly utitilized" by the element or its attributes.  The xsd: 
namespace is only used in an XML attribute value - 
xsi:type="xsd:string", and from what I've been able to decipher from the 
exclusive c10n standard, it sounds like that kind of usage does not 
count as "visibly utilized", so it is expected that the declaration be 

Is my understanding correct?

If so, I suspect there is some problem on the vendor's side in applying 
the canonicalization rules.

My presumption is that the Shib IdP is doing the right thing on its 
side, since we've been interoperating with hundreds of SPs using a 
variety of implementations for many years.  The vendor claims they are 
also working successfully with other IdPs.


%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list