W3C home > Mailing lists > Public > public-xmlsec@w3.org > March 2009

RE: Explanation of section 4.5 of transform note

From: Scott Cantor <cantor.2@osu.edu>
Date: Thu, 19 Mar 2009 14:18:44 -0400
To: "'Pratik Datta'" <pratik.datta@oracle.com>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <046d01c9a8bf$239bc200$6ad34600$@2@osu.edu>
Pratik Datta wrote on 2009-03-19:
> Trying to clarify section 4.5 of the transform note
> http://www.w3.org/2008/xmlsec/Drafts/transform-
> note/Overview.html#extensibility

Thanks, that helps, particularly since you still have this notion of
Transforms in the document, and I wasn't clear on how that related to the
two example WS Transforms you discussed.

> We are proposing a new transform model, which is a radical departure from
> the current model, and it doesn't have the current concept of a
"transform".
> (With the exception of XSLT and decrypt transform, that we reluctantly
added
> back).

I think this has to be determined, and if we're keeping the idea of
Transforms at all, that argues to me more for adapting your proposal to fit
into the *existing* syntax/model. In other words, either we're eliminating
generic transforms or we aren't. I'm of the opinion we should.

> With the current transform model, people are free to define new
transforms,
> and they have. In this section I have taken two such transforms from WS-
> Security spec and attempted to map them to the new transform model.  This
is
> just an exercise to validate the new model; the WS-* specs are frozen and
> not expected to change.

I think that's open to question. If WS-Security doesn't ever plan to support
XML Signature 2.0, its value to me at least goes somewhere close to zero.

I realize it's not our task to even debate that, but I would phrase this
more as "any subsequent change to the WS-* specs are ignored for the
purposes of this discussion".

> To map the STR-Transform to the new model, we need to split it up - part
of
> it will go into the <Selection> element, and part into the
> <Canonicalization> element. The Selection part can be represented by a new
> attribute (assuming we go with attribute extensibility)
> replaceSTwithSTR="true/false". The canonicalization part is standard.

For clarity, I think your proposal should tighten up the XML and make it
clear that with this approach, that's not replaceSTwithSTR, but
wss:replaceSTwithSTR (or whatever). It's an extension attribute in somebody
else's namespace and code would have to be added to an existing
implementation of your proposal to handle it. It wouldn't be baked in.

> This splitting up the STR-Transform gives a big benefit. One of the goals
of
> the new transform model is to accurately determine what is signed, and the
> current STR-Transform does not let you do that easily because it combines
> and replacement and canonicalization into one step, so it is very hard for
> an application to stop the STR-Transform in the middle and get the value
of
> the replaced tokens. But with the new model, an application can just
execute
> the <Selection> step and get the value of the replaced tokens, and check
the
> policy to determine if the tokens that were supposed to be signed, and
> really signed.

If the model is to add content to the Canonicalization or Selection
constructs you're defining to signal extensions, how would somebody plug in
their extension handling code to an implementation? Note that these
extensions could impact essentially any phase of the two processes. It's not
a pipeline, like the existing spec's Transforms model is, where you can
clearly plugin as needed.

Let's say you provided an implementation of your Selection construct, minus
the STR transform extension attribute (as you probably would do). How could
I plug into your code and somehow see that extension attribute and then
impact your processing to do the STR replacement?

Perhaps it would have to explicitly become event-driven/streamed, and I'd
have to handle all the events and some how inject pre/post processing on
your work?

> If this explanation makes is clearer, I can update the note with this
> content.

I think it's helpful, yes.

-- Scott
Received on Thursday, 19 March 2009 18:19:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:57 GMT