W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2011

Re: Importing 1.0 while normatively referencing 1.1 ( LC-2544) ( LC-2561)

From: Cantor, Scott <cantor.2@osu.edu>
Date: Tue, 6 Sep 2011 13:30:07 +0000
To: MURATA Makoto <eb2m-mrt@asahi-net.or.jp>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <CA8B983D.1477F%cantor.2@osu.edu>
On 9/6/11 9:24 AM, "MURATA Makoto" <eb2m-mrt@asahi-net.or.jp> wrote:

>Scott wrote:
>
>> I think it will create confusion to have an import that is unused in a
>> schema (I feel essentially exactly the opposite about it).
>
>It is used by xsd:any.

I don't know what that refers to.

>What do you mean by "break"?  Even if an application does not generate
>signature using XML Signature 1.1, there is nothing wrong in validating
>that signature against the Encryption 1.1 schema that imports the
>Signature
>1.1 schema.

There is if you don't have the 1.1 schema available. Applications MUST
have all schemas on hand and/or have a secure lookup mechanism. You cannot
rely on import locations or schemaLocation hints in real world
applications. Ask the W3C what happens when you do that.

-- Scott
Received on Tuesday, 6 September 2011 13:30:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 6 September 2011 13:30:40 GMT