W3C home > Mailing lists > Public > public-xmlsec@w3.org > January 2010

Re: RNG schema plans

From: MURATA Makoto (FAMILY Given) <eb2m-mrt@asahi-net.or.jp>
Date: Sat, 23 Jan 2010 19:14:33 +0900
To: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Cc: Murata <eb2m-mrt@asahi-net.or.jp>
Message-Id: <20100123191433.8F56.B794FC04@asahi-net.or.jp>
> > I think that the conversation revealed underspecified points. Are
> > elements of the namespace "http://www.w3.org/2000/09/xmldsig#" 
> > allowed as children of CanonicalizationMethod elements when 
> > the value of the Algorithm attribute is neither 
> > "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
> > "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments",
> > "http://www.w3.org/2006/12/xml-c14n11", nor 
> > "http://www.w3.org/2006/12/xml-c14n11#WithComments"?
> 
> What does the schema say? That's your answer. It says ##any, so the answer is yes, they're allowed.

Schemas are not the only.  The combination of prose and the schema
provide the answer.  Otherwise, absolutely everything should be allowed
even as contents of 
<CanonicalizationMethod
Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments">

Moreover, you wrote:

> > So, are foreign elements  allowed to precede or follow the XPath element?
> > (My guess:  No)  Is the XPath element mandatory?  (My guess: Yes) I have
> > similar questions about permissible contents when the Algorithm attribute
> > specifies other values.
> 
> Your guesses match what everybody I know has interpreted the spec to mean.
> Has anybody else ever felt differently?

If the schema is the only authoritative thing, then foreign sibling elements
should certainly be allowed, since the schema has 
<any namespace="##other" processContents="lax"/>

> >  I would argue that they should be disallowed, and most XMLers would expect so.
> 
> You can't argue with the schema. You can argue the schema is bad, but it is long done 
>and cannot be changed. 

In my understanding, the schema is somewhat loose and  prose is expected
to impose tighter constraints.  But the prose does not look clear enough
to me.


> > I would also argue that permissible children are not absolutely 
> > clear also when the value of @Algorithm  is one of the four 
> > mentioned above.  Are foreign elements allowed as children?
> 
> That is the province of each of those algorithms to define. If the algorithm 
>is inclusive, there's no content. 

Which sentence in the XML Signature spec says so?  

> If it's exclusive, that spec defines the allowable child element, which
> happens to be defined in a separate namespace.

So, can the <ec:InclusiveNamespaces> element have  sibling 
elements?  If the XSD schema is authoritative here, any sibling 
element would be allowed.  Even the following nonsense would 
be allowed.

  <ds:CanonicalizationMethod
      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">
      <ec:InclusiveNamespaces PrefixList="dsig soap #default"
          xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">
      <ds:CanonicalizationMethod Algorithm="#WithComments">
   </ds:CanonicalizationMethod>

I think nothing in the exclusive c14n spec disallows this one.   I am
aware of "This algorithm also takes an optional explicit parameter of an
empty InclusiveNamespaces element with a PrefixList attribute.", but 
I do not think this sentence mentions sibling elements.


Cheers,
Makoto
Received on Saturday, 23 January 2010 10:15:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 23 January 2010 10:15:14 GMT