- From: <sampo@zxidp.org>
- Date: Sat, 13 Nov 2010 20:36:27 +0100 (CET)
- To: public-xmlsec@w3.org
- Cc: sampo@zxidp.org
This mail is to forward a mail submitted to w3c-ietf-xmldsig@w3.org (as directed on page http://www.w3.org/2002/07/xml-exc-c14n-errata) http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2010OctDec/0000.html I have learned from a friendly source that the said mailing list is "dead". I find it quite disturbing that specifications and errata mention as the official reporting mechanism a mailing list that is "dead" or not monitored by any human. You can hardly claim a transparent and open standards process if such dead mailing lists exist so that all comments go to /dev/null. Is the intent not to receive any comments? I reproduce here the original mail: The specification [XML-EXC-C14N] does not state how a namespace prefix, not defined earlier in the document, should be processed. Section 3, bullet 2 does not help much as it seems to assume input where the prefixes are always well defined. Similarily section 3.1 bullet 3.2.1 seems to assume that all prefixes in the PrefixList are well defined. My interpretation is that the undefined prefixes are errors that should cause digital signature to be rejected. However I have been challenged by some vendors on the market, claiming that their signatures with undefined prefixes in InclusiveNamespaces PrefixList are indeed valid as the specification does not expressly forbid such undefined prefixes. I think the specifications should be more clear on this issue. I would hope for errata to be released to clarify this. [XML-EXC-C14N] John Boyer, Donald E. Eastlake 3rd, Joseph Reagle: "Exclusive XML Canonicalization Version 1.0", W3C Recommendation 18 July 2002, http://www.w3.org/TR/xml-exc-c14n/ --Sampo
Received on Saturday, 13 November 2010 19:37:24 UTC