W3C home > Mailing lists > Public > public-xmlsec@w3.org > May 2010

Re: Action-565: Visible Utilization in XPath

From: <Frederick.Hirsch@nokia.com>
Date: Mon, 17 May 2010 16:23:12 +0200
To: <cantor.2@osu.edu>
CC: <Frederick.Hirsch@nokia.com>, <Meiko.Jensen@ruhr-uni-bochum.de>, <public-xmlsec@w3.org>
Message-ID: <B9441911-797E-4B2F-8243-02848CEDA053@nokia.com>
+1

(also #3 could be generated via pre-processor in pre-existing cases)

regards, Frederick


On May 11, 2010, at 11:25 AM, ext Scott Cantor wrote:

>> *Approach #3: prohibit QNames in XPath*
>> 
>> Instead of using QNames in XPath, we force the XPath expressions not to
>> contain any QNames. For namespace-free documents this means no change,
>> for namespace-aware documents this requires sth. like putting
>> "/*[local-name()='Body' and
>> namespace-uri()='http://www.w3.org/2003/05/soap-envelope']" instead of
>> "/soap:Body".
>> 
>> Drawbacks:
>> High threat of developers to screw it up.
> 
> This is the one that I think should be recommended but not required. QNames
> in content are simply bad things. We know that now, and the remanining uses
> of them are from specs that predate that knowledge. Which is life. But where
> there are alternatives that allow the same functionality without using them,
> we would be crazy IMHO not to bless those approaches as being better for use
> with signatures.
> 
> Developers will screw up anything and everything, and that's also just life.
> That shouldn't prevent us from documenting workarounds that actually *solve*
> this problem. It's quite rare in these cases for such solutions to actually
> exist at all.
> 
>> *Approach #4: listing used QNames explicitly*
>> 
>> On signature generation, when defining the XPath expressions for the
>> signature reference, this approach requires an explicit statement
>> listing all QNames used in the XPath as part of its definition.
>> 
>> Example:
>> 
>> <IncludedXPath QNames="soap:Body
>> my:Node">//soap:Body/my:Node</IncludedXPath>
>> 
>> Drawbacks:
>> Requires changes to XML Signature 2.0 syntax, threat of forgetting
>> used/adding unused QNames.
>> Puts additional tasks to the signature generator.
>> Somewhat redundant information.
> 
> I think this one is also worth considering, because changing the syntax is
> not a drawback at this point (we're in draft) and because it's likely that
> the creator of the XPath expression is in a good position to know what
> QNames are actually being used, seems to me.
> 
> -- Scott
> 
> 
> 
Received on Monday, 17 May 2010 14:25:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 17 May 2010 14:25:37 GMT