XML Signature and canonicalization

Good Day,

It seems to me that canonicalization is a prerequisite for XML Signature. I just wonder if it is mandatory. After all, we can have integrity of the message even without canonicalization.

Any thoughts?

Regards,
Dan

Hello,
In my opinion Canonicalization is necessary so that you compute Hash on the basic form of the data without any other characters like spaces.

Regards,
Amit

Right, but Canonicalization is considered to be a resource intensive operation and if one wants only to guarantee the integrity of the a particular message, Canonicalization doesn't seem to be needed.

Regards,
Dan

Hi!
The question is slightly old, but I couldn't resist the prospects of a good discussion!

Assume the following trivial XML fragments:
<ns1:MyElement ns1:myAttribute="test">elementData</ns1:MyElement>
and
<ns2:MyElement ns2:myAttribute="test"/>elementData</ns2:MyElement>
With ns1 and ns2 both referring to the same namespace.

We can both tell that the first XML fragment is a valid version of the second XML fragment that has not been tampered with.
However, in order for a piece of software to be able to determine this, I feel we need to transform the XML fragments into some kind of normalized (i.e. canonical) form.
Having been "normalized", the program will then be able to determine if the XML fragments are equal or not.
Best wishes!