W3C home > Mailing lists > Public > public-xmlsec@w3.org > February 2011

Changes to Section 10.6.1 Selection of XML Documents or Fragments in XML Signature 2.0, ACTION-769 and ACTION-773

From: Pratik Datta <pratik.datta@oracle.com>
Date: Mon, 7 Feb 2011 15:25:35 -0800 (PST)
Message-ID: <4b90a609-ccad-43d5-ac07-af62f01d6a09@default>
To: public-xmlsec@w3.org
Changes shown below.  Deletions in strikeout and Insertions  underlined

 

10.6.1 Selection of XML Documents or Fragments

 

Identifier:

    http://www.w3.org/2010/xmldsig2#xml

 

This dsig2:Selection algorithm allows the selection of XML documents or fragments.

 

The required URI attribute can be an external or same-document reference. External references are parsed into an XML document or event stream for the subsequent selection process to operate upon. Same-document references take the form of an empty value (URI="") or a fragment (URI="#foo"). The former refers to the entire document, while the latter refers to a subtree rooted at the element with the "ID" contained in the fragment.

 

The differences between the processing, and allowed syntax, of this URI attribute and that of a "Compatibility Mode" Reference URI are:

 

    * Dereferencing a same-document reference does not result in a XPath node set.

    * The xpointer syntax is not permitted.

    * There is no comment node removal during the dereferencing process.

 

The dsig2:Selection element may contain at most one dsig2:IncludedXPath and at most one dsig2:ExcludedXPath parameter element to modify the selection result.

Either the URI attribute or the dsig2:IncludedXPath must be present but not both. The dsig2:ExcludedXPath maybe present in either case. I.e the dsig2:Selection must have one of the following

 

    * The URI attribute.

    * The URI attribute and one dsig2:ExcludedXPath parameter element.

    * One dsig2:IncludedXPath parameter element.

    * One dsig2:IncludedXPath parameter element and one dsig2:ExcludedXPath parameter element.

 

Note: When an IncludedXPath or ExcludedXPath selects an element node, it implies that the whole subtree rooted at that element is included or excluded.

 

 

Processing of the selection and parameters is as follows:

 

   1. If present, the dsig2:IncludedXPath is evaluated with the context set at the root of the document. The XPath expression results in one or more element nodes. The effective selection is modified to include only the subtree(s) identified by the element node(s) resulting from the XPath evaluation.
Either the URI attribute is dereferenced to select an element, and this element is added to the "inclusion list".

Or the dsig2:IncludedXPath is evaluated at the root of the document to select element node(s),then these are added to the "inclusion" list.

   2. If present, the dsig2:ExcludedXPath is evaluated with the context set at the root of the document. The XPath expression results in one or more element nodes and/or attributes. The effective selection is modified to exclude any such attributes, and to exclude all the subtrees identified by any such element nodes.
If the dsig2:ExcludedXPath is present, it is evaluated at the root of the document to select element and or attribute nodes(s), which are then added to the "exclusion list"

   3. Regardless, the effective selection is also modified to exclude the Signature subtree under computation/evaluation.
The current Signature element under computation/evaluation is added to the "exclusion list".

 

The final result of the selection process is a set of one or more element nodes (with no element a descendant of any other), and a set of zero or more exclusions consisting of element and/or attribute nodes.

 

Note: In a "streaming mode" of evaluation, the XPath evaluation, the canonicalizaion and digesting need to happen in a pipeline. This is described in Section "2.1 Streaming for XPath Signatures" in [XMLDSIG-XPATH].

 

Pratik
Received on Monday, 7 February 2011 23:41:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 February 2011 23:41:48 GMT