W3C home > Mailing lists > Public > public-xmlsec@w3.org > April 2010

RE: Action-539: review C14N2.0

From: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 19 Apr 2010 13:02:58 -0400
To: "'Meiko Jensen'" <Meiko.Jensen@ruhr-uni-bochum.de>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <00d201cadfe2$29f00840$7dd018c0$@2@osu.edu>
> Section 6: Qnames in content. Searching all text nodes for potential use
> of prefixes is a horribly bad idea. Besides the performance overhead
> you'll get weird matches, resulting in different namespace declarations
> being covered within structurally identical XML documents. Major source
> of confusion and unexplainable signature invalidations.

I don't propose searching all text nodes, but I do believe enumerating the
qualified names of nodes that are QName-valued to be useful and frankly
necessary.

On a separate but similar topic, I also think in the absence of schema-aware
c14n that we have an obligation to allow the specification of ID-valued
attributes to ensure better and safer interop of ID-based references. It
doesn't by itself address wrapping attacks but it's an improvement on
guessing ID-ness.

(To anticipate a response, yes, in an ideal world we'd just use schemas and
both issues would be addressed. But in this world, people often don't use
them at runtime, nor do they use DTDs.)

-- Scott
Received on Monday, 19 April 2010 17:03:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 April 2010 17:03:26 GMT