Trouble Ahead: Normative references to 2001 XPointer CR. from Thomas Roessler on 2007-07-12 (public-xmlsec-maintwg@w3.org from July 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 12 Jul 2007 20:58:17 +0200
To: public-xmlsec-maintwg@w3.org
Message-ID: <20070712185816.GH31669@raktajino.does-not-exist.org>
While preparing the Last Call Working Draft for the decrypt
transform (per ACTION-53), I noticed a somewhat surprising normative
reference to a 2001 Candidate Recommendation for XPointer, present
in both the decryption transform and xmldsig-core recommendations:

  XML Pointer Language (XPointer) Version 1.0
  W3C Candidate Recommendation 11 September 2001
  http://www.w3.org/TR/2001/CR-xptr-20010911/

Unfortunately, it turns out that this seemingly harmless editorial
error is indeed a substantive issue for both the decryption
transform and dsig-core, that I at least hadn't been aware of
before: That particular Candidate Recommendation actually didn't
make it to Rec.  Instead, there are now four different Technical
Reports on XPointer.

Only three of these are Recommendations:

- XPointer Framework
  W3C Recommendation 25 March 2003
  http://www.w3.org/TR/2003/REC-xptr-framework-20030325/

- XPointer Element Scheme
  W3C Recommendation 25 March 2003
  http://www.w3.org/TR/2003/REC-xptr-element-20030325/

- XPointer xmlns Scheme
  W3C Recommendation 25 March 2003
  http://www.w3.org/TR/2003/REC-xptr-xmlns-20030325/

The fourth is a Working Draft that has not been updated for a while:

- XPointer xpointer() Scheme
  W3C Working Draft 19 December 2002
  http://www.w3.org/TR/2002/WD-xptr-xpointer-20021219/

The XML Linking Working Group that has produced these Technical
Reports is disbanded, and I know of no current Working Group that is
chartered to take the XPointer xpointer() Scheme to Rec.



Impact on Decryption Transform


The normative impact on the decryption transform is localized to a
relatively narrow part of the processing rules, in the description
of the decryptNodeSet function. 

|      *  When dereferencing an exception URI in the context of the
|      original input node set, the implementation MUST behave as if
|      the document node of the input node-set is used to initialize
|      the XPointer evaluation context [XPointer], even if the node
|      is not part of the node-set. Unlike XML Signature
|      [XML-Signature], the exception URI may be evaluated against a
|      different document than the "root node of the XML document
|      containing the URI attribute." If the input is a different
|      document then, as per XPointer [XPointer], use of the here()
|      function is an error.
|      
|      * When dereferencing an exception URI in the context of a
|      replacement node-set, bare name [XPointer] exception URIs are
|      used to locate xenc:EncryptedData elements with matching Id
|      attributes. Implementors MAY attempt to resolve full XPointers
|      into replacement node-sets using appropriate techniques to
|      take into account the location of the replacement node-set in
|      the input document, see References Using Non-barename
|      XPointers (section 3.4.5).
|
|      * If an exception URI fails to dereference any nodes, then the
|      resulting error MUST be ignored; it may be the result of part
|      of the input document being encrypted.

 --  http://www.w3.org/2007/xmlsec/Drafts/xmlenc-decrypt/Overview#sec-xml-processing

Since we are preparing a version of this specification that will
have a new algorithm ID, and since we anticipate trouble getting
this through CR anyway, I'd suggest that changes needed to
accomodate the actual XPointer framework look like they are covered
(a) by our charter's allowance to make conformance-affecting changes
that "address incompatibilities with the evolving XML environment",
and (b) can be made without much negative impact on the world.

Roughly, these changes could consist in dropping most of the
material that deals with the evaluation context (which only applies
to an XPointer of scheme xpointer()), in the first bullet point, and
cutting the entire discussion down to shortname XPointers (aka
barenames); these are defined in the XPointer Framework
Recommendation that we can normatively reference without further
trouble.

Section 3.4.5 gives examples for failure conditions of references
using non-barename XPointers.  This material is informative, and we
could either keep it (but reference the ancient xpointer() working
draft), or we could simply drop it, without much negative impact.

  http://www.w3.org/2007/xmlsec/Drafts/xmlenc-decrypt/Overview#sec-References-Non-Barename




Impact on XML-Signature Syntax and Processing


The main impact on xmldsig-core seems to be in four sections:

- section 4.3.3.2, Reference Processing Model
  http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-ReferenceProcessingModel

- section 4.3.3.3, same-document URI References
  http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-Same-Document
  
- section 6.6.2, Base64
  http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-Base-64

- section 6.6.3, XPath Filtering
  http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-XPath

In section 4.3.3.2, the following language is relevant:

| When a fragment is not preceded by a URI in the URI-Reference, XML
| signature applications MUST support the null URI and barename
| XPointer. We RECOMMEND support for the same-document XPointers
| '#xpointer(/)' and '#xpointer(id('ID'))' if the application also
| intends to support any canonicalization that preserves comments.
| (Otherwise URI="#foo" will automatically remove comments before the
| canonicalization can even be invoked.) All other support for
| XPointers is OPTIONAL, especially all support for barename and other
| XPointers in external resources since the application may not have
| control over how the fragment is generated (leading to
| interoperability problems and validation failures).

 --- http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-ReferenceProcessingModel

It would seem that the MUST clause can be fixed by changing
"barename" to "shortname", and by referencing the XPointer Framework
Recommendation.

I'm not sure what the most appropriate course of action for the
RECOMMEND language concerning the #xpointer(/) and
#xpointer(id('ID')) approaches is. These are currently RECOMMENDED,
but not defined in a Recommendation.


As an aside, there's some language in 4.3.3.2 that references the
URI spec for the definition of a "same-document URI-Reference."

Unfortunately, the meaning of that has changed between the URI spec
that is referenced in xmldsig-core and the currently valid one (RFC
2396 vs. RFC 3986): Same-document references are now (in RFC 3986)
defined in terms of the base URI; the purely syntactic definition
("URI references with an empty URI", i.e., just a fragment
identifier) from RFC 2396 is no longer there.

However, XML Signature relies on that syntactic definition and
actually replays it in the specification text to a large extent.
I'd therefore propose to import the language from RFC 2396, but
normatively reference RFC 3986.


In section 4.3.3.3, we have the following rules:

| Dereferencing a same-document reference MUST result in an XPath
| node-set suitable for use by Canonical XML [XML-C14N]. Specifically,
| dereferencing a null URI (URI="") MUST result in an XPath node-set
| that includes every non-comment node of the XML document containing
| the URI attribute. In a fragment URI, the characters after the
| number sign ('#') character conform to the XPointer syntax [Xptr].
| When processing an XPointer, the application MUST behave as if the
| root node of the XML document containing the URI attribute were used
| to initialize the XPointer evaluation context. The application MUST
| behave as if the result of XPointer processing were a node-set
| derived from the resultant location-set as follows:
|
|   1. discard point nodes
|   2. replace each range node with all XPath nodes having full or
|      partial content within the range
|   3. replace the root node with its children (if it is in the node-set)
|   4. replace any element node E with E plus all
|      descendants of E (text, comment, PI, element) and all
|      namespace and attribute nodes of E and its descendant elements.
|   5. if the URI is not a full XPointer, then delete all
|      comment nodes
|	      
|   The second to last replacement is necessary because XPointer
|   typically indicates a subtree of an XML document's parse tree
|   using just the element node at the root of the subtree, whereas
|   Canonical XML treats a node-set as a set of nodes in which
|   absence of descendant nodes results in absence of their
|   representative text from the canonical form. 

 -- http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-Same-Document

Two points at least are noteworthy:

1. Even though a barename XPointer was, at the time, defined to
return the same location-set as an xpointer(id='barename') style
full XPointer, these two xpointers would yield different results in
the reference processing model of XML Signature.  If a barename is
used, comments are stripped; if a full xpointer [i.e.,
xpointer(id='barename') style] is used, comments are not stripped.  

2. The processing rules are defined in terms of location-sets.  A
location-set is a notion defined generically in the 2001 XPointer
CR, but then moved into the xpointer() scheme for XPointer (which
never made it to Rec).  It is a notion that is *NOT* defined in any
current recommenation.  Also, shortname xpointers (as they are now
known) are no longer defined in terms of the xpointer() scheme, and
do not result in a location-set in any useful way.

It would seem that it is possible (and, indeed, reasonably easy) to
restate most of the conformance requirements in terms of the
XPointer Framework, and the desired behavior for shortname XPointers
in terms of elements and node-set, avoiding any reference to point
nodes, ranges, and location-sets.  References to full xpointers
could then be dropped, except for noticing that *if* a full
("scheme-based" in the diction of the XPointer framework) XPointer
is used, comments are not removed.

There would probably be another change to RECOMMEND certain
element() XPointers (specifically, element(ID) and element(/1),
where the resource against which the XPointer is evaluated is the
document that contains the URI attribute), replacing the current
recommendation for the xpointer() XPointers with equivalent effect.

I'm, however, a bit wary about these changes; they seem to go
somewhat far for a PER.  I'd welcome feed-back from the group, and
will also solicit feedback in the Team.


In sections 6.6.2 and 6.6.3, there is some discussion of elements
identified by barename XPointers; it seems to me that we can simply
change "barename" to "shortname" here and be done with this.

  http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-Base-64
  http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-XPath



An alternative approach to all this could be to argue that, since
the XML Signature Rec has survived for a long time without fixing
this issue, we'd rather not fix it in this round of changes.  I
can't at this point predict the outcomes of a transition call with
that approach, and will continue to put out feelers about it.

Meanwhile, I'd appreciate feed-back on the proposed approaches.  I'd
also be interested to hear to what extent existing implementations
actually support some notion of a "full xpointer", and if so, what
specification they were implemented against.

PS: Yes, this is quite a mess.

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Thursday, 12 July 2007 18:58:21 UTC