W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2010

RE: ACTION-581: proposal around IDness of attributes

From: Pratik Datta <pratik.datta@oracle.com>
Date: Mon, 11 Oct 2010 00:21:10 -0700 (PDT)
Message-ID: <5395c748-96a5-42fd-a5e9-48432e1084e2@default>
To: Scott Cantor <cantor.2@osu.edu>, public-xmlsec@w3.org
Related to ACTION-647

We need to discuss a few things around this in the next meeting
1) Should we allow id() in our XPath subset or not?
   We currently we do have the id function

2) How should the ID attributes be defined.
  XPath 1.0  defines the Id function to be DTD defined
  XPath 2.0  defines the fn:id function to be DTD/ defined or xml:id. (See is-id in section 6.3.3 and 6.3.4 of http://www.w3.org/TR/xpath-datamodel )


As Scott mentioned, even with XPath 1.0, it is possible to make it work with ID attributes beyond DTD by using the DOM 3 functions to mark ID attributes.

My opinion is that we should not use the dsig2:IDAttributes function to defined ID attributes for XPath profile. Because
  a) First of all we don't even need id() functions in XPath for dsig. We already have the URI mechanism in dsig which is widely used, we have already agreed to allow URI references to uses ids defined by the dsig2:IDattributes. However we are telling users to avoid using IDs because of the possibility of wrapping attacks, instead they should use XPaths. Obviously they should not use the id() function in attributes, because it comes back to the whole issue of wrapping attacks.
  b) Secondly , one of the major DOM parsers used inside Oracle is not fully DOM3 compliant, and it does not support the setIDattribute function. There may be other DOM parsers in the similar situation too. So this may not be easy to implement for all parsers.

I say that we leave the id() function exactly as it is in XPath 1.0, i.e defined by DTD only.

Pratik

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Monday, August 30, 2010 10:40 AM
To: Pratik Datta; public-xmlsec@w3.org
Subject: RE: ACTION-581: proposal around IDness of attributes

> I had intended our XPath streaming profile to be reusable, so that other
> specifications can also use it. E.g. we were planning for this to be
shared
> with WS-Transfer.

Ok, but are we allowing id() in our use of the subset or not?

> So it shouldn't have any dependencies on XML signature. I.e. XML signature
> 2.0 should depend on XPath profile for XML signature, but not the other
way
> around.
> 
> That is why think dsig2:IDAttributes should not be used by the XPath.

I don't think that follows. Isn't the assertion syntax specific to XML
Signature anyway? Why would anybody expect that use of the IDAttributes
element would apply to other uses of that subset?

> This is what we are publishing for tomorrow
> * XPath profile includes the id() function, but says that IDs are only
> defined by DTDs.

That's really a mistake anyway (in just the context of your subset draft),
because that's not what people do/expect in practice. It even excludes
xml:id for example.

> * XML signature 2.0 goes with option 1 - i.e the dsig2:IDAttributes should
> only have only one ID attribute definition - the one used by the reference
> 
> But we can change it after further discussion.

Yes, I think we should discuss. I may not have explained this well enough.

-- Scott
Received on Monday, 11 October 2010 07:23:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 October 2010 07:23:06 GMT