W3C home > Mailing lists > Public > public-xmlsec@w3.org > May 2009

Compatibility story for RetrievalMethod and Reference in v2

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 13 May 2009 22:17:49 +0200
Message-Id: <E0CA0BAB-F8BB-4255-99EE-86EDD491511A@w3.org>
To: XMLSec WG Public List <public-xmlsec@w3.org>
Quick summary of the discussion just now:


1. RetrievalMethod is broken since the target elements (children of  
ds:KeyInfo) don't have ID attributes.  Since the content model of  
ds:KeyInfo is extensible, it is possible to replace these elements  
with elements in a new namespace *without* having to break the overall  
schema.  That would (a) let us add the necessary ID attributes, and  
(b) permit assorted fixes to the content models of these elements.


2. Reference has two interesting extension points:

(a) URI is an optional attribute.  There can only be one ds:Reference  
element without a URI attribute according to the current spec;  
however, that constraint is not enforced in the schema.  Therefore, we  
could move the URI from that attribute into a special-purpose transform.

(b) Type is optional and largely unused.  That attribute could be used  
to describe the content model of what is being referenced in a  
different way, to (e.g.) discern between octet-stream, node-set, and  
the-other-thing (whatever that be in detail).  That would also solve  
the current ugliness around dispatching between node-set and octet- 
stream based on URI's same-document-ness.


These two points are orthogonal to each other. Together, though, they  
mean that the two reasons we had so far for changing namespaces in 2.0  
can be avoided, making it easier to plug a vesion 2.0 of signature  
into formats like SAML which are unlikely to change their own schemas  
(and include a hardwired ds:Signature).


--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 13 May 2009 20:17:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:58 GMT