W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2011

RE: FW: Last Call for XML Signature 2.0, Canonical XML 2.0 and XML Signature Streaming Profile of XPath 1.0

From: Pratik Datta <pratik.datta@oracle.com>
Date: Tue, 6 Sep 2011 11:05:47 -0700 (PDT)
Message-ID: <c0bd0d42-128f-4b6c-b987-ac0b30894475@default>
To: "Grosso, Paul" <pgrosso@ptc.com>, public-xmlsec@w3.org, jirka@kosek.cz, public-xml-core-wg@w3.org
Jirka,

Thanks for your review.

We have made the following changes to  XML Signature Syntax and Processing Version 2.0  after your review.
The latest draft version is here http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/



-----------------------------------------------------------------

>>•Specification uses term "XML namespace URI" instead of "namespace name" 
>>Although this probably doesn't create confusion, such informal term shouldn't 
>>appear in W3C spec. Either proper term "namespace name" should be used 
>>(see http://www.w3.org/TR/xml-names/#dt-NSName) or at least "XML namespace URI"
>> should be put into Appendix A - Definitions and be properly defined here as a synonym of "namespace name".

RESOLUTION:  This is in the original 2002 REC, so it seems this change is not urgent. That said, we have resolved this by adding a definition to Appendix A in XML Signature 2.0. 

XML namespace URI
	This refers to the namespace name [[XML-NAMES]].


-----------------------------------------------------------------



>> * Insufficently defined context for XPath evaluation in § "10.6.1 Selection of XML Documents or Fragments"


RESOLUTION: Added the following paragraph in section 10.6.1  Selection of XML Documents or Fragments


Initialize the XPath evaluation context for the dsig2:IncludedXPath element and the dsig2:ExcludedXPath as follows:

    A context node equal to the root of the document.
    A context position, initialized to 1.
    A context size, initialized to 1.
    A library of functions equal to the function set defined in [XMLDSIG-XPATH]. (Note: The XPath function here() defined in Xpath Filter Transform must not be used in this context)
    A set of variable bindings. No means for initializing these is defined. Thus, the set of variable bindings used when evaluating the XPath expression is empty, and use of a variable reference in the XPath expression results in an error.
    The set of namespace declarations in scope for the XPath expression.


-----------------------------------------------------------------



>> * Typo in § "11.3 Namespace Context and Portable Signatures"
>>  In addition, the Canonical XML and Canonical XML with Comments
>>  algorithms import all XML namespace attributes (such as *xml:lang*) from
>>  the...
>>
>>  There shouldn't be `xml:lang', but namespace declaration attribute like `xmlns:foo'.
>>
>>  Also using entity references in examples as content of namespace
>>  declarations looks quite confusing.


RESOLUTION:  There is no typo here.   By "XML namespace attributes" we mean  attributes that are in the "xml" namespace . e.g "xml:lang", "xml:space", "xml:id", "xml:base" etc. 



Also removed the entity references from namespace declaration and instead used regular namespaces like this:

<A xmlns:n1="http://foo.example">
  <B xmlns:n2="http://bar.example">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">   ...
      <Reference URI="#signme"/> ...
    </Signature>
    <C ID="signme" xmlns="http://baz.example"/>
  </B>
</A>


Also this whole section has now been moved to the compatibility section "B.8 Namespace Context and Portable Signature" as it is not applicable to canonical XML 2.0.  Canonical XML 2.0 uses only exclusive canonicalization so it is portable.

-----------------------------------------------------------------


>> * § "B.7.2 Base64"
>>   Transformation as described assumes that operates on text node --
>>   otherwise it will always return empty string. I'm not sure whether
>>   this is correct assumption. Omitting operation 1) will fix this
>>   problem.


RESOLUTION: Changed the text slightly to mention these steps  (step 2 is changed)

If an XPath node-set (or sufficiently functional alternative) is given as input, then it is converted to an octet stream by performing operations logically equivalent to 
1) applying an XPath transform with expression self::text(), then 
2) sorting the nodeset by document order, then concatenating the string-value of each of the nodes into one long string.


This doesn't need to operate only on text nodes.  Here is an example to illustrate

Suppose your XML looks like  this <a><b>hello</b/><c>world</c></a>   , and you apply an XPath transform with "self:text()". Remember with XPath transform, the xpath expression is evaluated repeatedly for every node, and then only the nodes tha! t return true are considered.  I.e. the Xpath expression will be evaluated 5 times   , 
1)    <a>    self:text()  returns false
2)    <b>    self:text()  returns false
3)    hello  self:text() returns true
4)    <c>    self:text()  returns false
5)    world  self:text() returns true
so the filtered nodeset will have two nodes "hello" and "world".  

Taking the string value of each of these nodes in document order and concatenating them returns "helloworld".

-----------------------------------------------------------------


This is related to my ACTION-830


Pratik



-----Original Message-----
From: Grosso, Paul [mailto:pgrosso@ptc.com] 
Sent: Monday, June 06, 2011 12:08 PM
To: public-xmlsec@w3.org
Subject: FW: FW: Last Call for XML Signature 2.0, Canonical XML 2.0 and XML Signature Streaming Profile of XPath 1.0

Forwarding from XML Core to XML Signature WG.

paul

-----Original Message-----
From: Jirka Kosek [mailto:jirka@kosek.cz]
Sent: Tuesday, 2011 May 31 4:03
To: Grosso, Paul
Cc: public-xml-core-wg@w3.org
Subject: Re: FW: Last Call for XML Signature 2.0, Canonical XML 2.0 and XML Signature Streaming Profile of XPath 1.0

On 27.4.2011 15:37, Grosso, Paul wrote:
> The XML Core WG has been asked to review these specs before the end of 
> May.  Jirka and Norm have actions to do so and report back to the WG.

Hi,

I spent very limited time on this and haven't time to review RELAX NG schemas at all. Below are few issues I have found. I'm also attaching HTML rendering.

				Jirka

1 XML Signature Syntax and Processing Version 2.0
--------------------------------------------------
[http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/]
* Specification uses term "XML namespace URI" instead of "namespace name"
  Although this probably doesn't create confusion, such informal term
  shouldn't appear in W3C spec. Either proper term "namespace name"
  should be used (see [http://www.w3.org/TR/xml-names/#dt-NSName]) or at
  least "XML namespace URI" should be put into Appendix A - Definitions
  and be properly defined here as a synonym of "namespace name".
* Insufficently defined context for XPath evaluation in § "10.6.1 Selection of XML Documents or Fragments"
  XPath 1.0 specification defines the following properties for context
  ORG-BLOCKQUOTE-START
  a node (the context node)
  a pair of non-zero positive integers (the context position and the context size)
  a set of variable bindings
  a function library
  the set of namespace declarations in scope for the expression
  ORG-BLOCKQUOTE-END
  Only the context node is defined in this specification, other
  properties should be defined as well.
* Typo in § "11.3 Namespace Context and Portable Signatures"
  In addition, the Canonical XML and Canonical XML with Comments
  algorithms import all XML namespace attributes (such as *xml:lang*) from
  the...

  There shouldn't be `xml:lang', but namespace declaration attribute like `xmlns:foo'.

  Also using entity references in examples as content of namespace
  declarations looks quite confusing.
* § "B.7.2 Base64"
  Transformation as described assumes that operates on text node --
  otherwise it will always return empty string. I'm not sure whether
  this is correct assumption. Omitting operation 1) will fix this
  problem.

2 XML Signature Streaming Profile of XPath 1.0
-----------------------------------------------
[http://www.w3.org/2008/xmlsec/Drafts/xmldsig-xpath/] In general I don't think it is good idea to create yet another XPath subset. Proliferation of XPath subsetting prevents using standalone XPath libraries when implementing various subsets of the language. If streaming is necessary then effort should be derived from XSLT 3.0 which provides streaming facilities.



--
------------------------------------------------------------------
  Jirka Kosek      e-mail: jirka@kosek.cz      http://xmlguru.cz
------------------------------------------------------------------
       Professional XML consulting and training services
  DocBook customization, custom XSLT/XSL-FO document processing
------------------------------------------------------------------
 OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member
------------------------------------------------------------------
Received on Tuesday, 6 September 2011 18:06:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 6 September 2011 18:06:40 GMT