W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

RE: Namespace Injection in DSig 2.0

From: Scott Cantor <cantor.2@osu.edu>
Date: Thu, 2 Sep 2010 10:10:55 -0400
To: "'Meiko Jensen'" <Meiko.Jensen@ruhr-uni-bochum.de>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <057501cb4aa8$a8f1a140$fad4e3c0$@osu.edu>
> The good news: but only if the developer did not use the new QNameAware
> parameter properly.

I'm not sure that's true...

> The details:
> The Namespace Injection technique worked by exploiting the fact that
> namespace prefixes used in XPath expressions were not "visibly utilized"
> in the sense of Exclusive Canonicalization, hence their namespace
> declaration was not protected with the digest over "SignedInfo".
> 
> In the new specs, the proper use of the QNameAware parameter leads to
> explicit declaration of exactly those mappings.

I don't think so. XPath expressions are not QNames. They contain prefixes,
or perhaps even something that is basically a QName, but the QNameAware
parameter is *not* currently used for describing content that can contain a
QName, but only for describing content that is itself solely a QName.

In other words, the burden was not meant to be on the c14n layer to go
parsing into content to find them.

Dealing with XPath expressions is a separate (and more complex) problem. If
we were to try to extend the option to cover them, I think we would have to
be able to describe how exactly the c14n layer was supposed to process the
expression and find the prefixes.
 
-- Scott
Received on Thursday, 2 September 2010 14:11:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 September 2010 14:11:32 GMT