Re: [Moderator Action] RE: Antwort: RE: AW: XML Signature - Request for clarification [Virus checked] from Thomas Roessler on 2007-08-09 (public-xmlsec-maintwg@w3.org from August 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 9 Aug 2007 15:32:03 +0200
To: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
Cc: "Marcus.Ertel@Extern.Sparkassen-Informatik.de" <Marcus.Ertel@Extern.Sparkassen-Informatik.de>, "Heiko.Dittmann@Sparkassen-Informatik.de" <Heiko.Dittmann@Sparkassen-Informatik.de>, "Konrad.Lanz@iaik.tugraz.at" <Konrad.Lanz@iaik.tugraz.at>, Marcus Ertel <m.ertel@gmx.com>, "public-xmlsec-maintwg@w3.org" <public-xmlsec-maintwg@w3.org>, Tom Gindin <tgindin@us.ibm.com>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org>
Message-ID: <20070809133203.GU14409@raktajino.does-not-exist.org>

On 2007-08-09 13:25:19 +0000, Christian Geuer-Pollmann wrote:

> One of the questions you should ask yourself is why you don't do
> the actual node selection in the ds:Transforms anyway? I would
> expect that with the approach you're following here, you're
> calling for trouble. If you want to select multiple subtrees in
> the document, I would select the whole document's xpath node set
> in the URI="" and do the filtering in the Transforms anyway.
> Using a URI like #xpointer(//*[@authenticate='true'])may not be
> supported by many XML Signature toolkits, as that's not a
> requirement for a toolkit to call itself "XML Signature 1.0
> compliant". So when you want to work with different toolkits,
> that's a recipe for trouble. When you only intend to use a single
> toolkit, you should actually just do what that particular toolkit
> understands.

It's also a recipe for trouble because xpointer() is a very ancient
Working Draft that never made it to REC.  Interestingly, the
normative reference in xmldsig-core is to an even more ancient
xpointer candidate rec that subsequently failed -- it's dodgy, to
say the least.

Theoretically, there could be a new version of xpointer() that is
incompatible, without any regard to particular deployments.

We expect the second edition of XML Signature to lock in semantics
for the two xpointer() usages that are currently RECOMMENDED ('/' to
select the root node, id() to select a specific element).  Beyond
that, using the xpointer() scheme is risky.  There is a bit of an
argument going on how strongly the 2nd ed should come out about not
using xpointer() usages beyond these two.

So, +1 to using Transforms for this particular use case if you want
to future-rpoof.

For the latest editor's draft of xmldsig-core 2nd ed, please see:

  http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Thursday, 9 August 2007 13:32:18 UTC