- From: Cantor, Scott <cantor.2@osu.edu>
- Date: Tue, 6 Sep 2011 13:30:07 +0000
- To: MURATA Makoto <eb2m-mrt@asahi-net.or.jp>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
On 9/6/11 9:24 AM, "MURATA Makoto" <eb2m-mrt@asahi-net.or.jp> wrote: >Scott wrote: > >> I think it will create confusion to have an import that is unused in a >> schema (I feel essentially exactly the opposite about it). > >It is used by xsd:any. I don't know what that refers to. >What do you mean by "break"? Even if an application does not generate >signature using XML Signature 1.1, there is nothing wrong in validating >that signature against the Encryption 1.1 schema that imports the >Signature >1.1 schema. There is if you don't have the 1.1 schema available. Applications MUST have all schemas on hand and/or have a secure lookup mechanism. You cannot rely on import locations or schemaLocation hints in real world applications. Ask the W3C what happens when you do that. -- Scott
Received on Tuesday, 6 September 2011 13:30:40 UTC