W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2011

Re: FW: FW: Last Call for XML Signature 2.0, Canonical XML 2.0 and XML Signature Streaming Profile of XPath 1.0 ( LC-2488)

From: <frederick.hirsch@nokia.com>
Date: Mon, 19 Sep 2011 20:24:44 +0000
To: Grosso@jessica.w3.org, Paul <pgrosso@ptc.com>
Cc: public-xmlsec@w3.org
Message-Id: <E1R5kOS-0001Rv-EG@jessica.w3.org>

 Dear Grosso, Paul ,

The XML Security Working Group has reviewed the comments you sent [1] on
the Last Call Working Draft [2] of the XML Signature Syntax and Processing
Version 2.0 published on 21 Apr 2011. Thank you for having taken the time
to review the document and to send us comments!

The Working Group's response to your comment is included below, and has
been implemented in the new version of the document available at:
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-NamespaceContext.

Please review it carefully and let us know by email at
public-xmlsec@w3.org if you agree with it or not before 26 September 2011.
In case of disagreement, you are requested to provide a specific solution
for or a path to a consensus with the Working Group. If such a consensus
cannot be achieved, you will be given the opportunity to raise a formal
objection which will then be reviewed by the Director during the transition
of this document to the next stage in the W3C Recommendation Track.

Thanks,

For the XML Security Working Group,
Thomas Roessler
W3C Staff Contact

 1.
http://www.w3.org/mid/9B2DE9094C827E44988F5ADAA6A2C5DA02EE3A07@HQ-MAIL9.ptcnet.ptc.com
 2. http://www.w3.org/TR/2011/WD-xmldsig-core2-20110421/


=====

Your comment on the document as a whole:
> 1 XML Signature Syntax and Processing Version 2.0
> 
> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/
> 
> Specification uses term "XML namespace URI" instead of "namespace name"
> 
> Although this probably doesn't create confusion, such informal term
> shouldn't appear in W3C spec. Either proper term "namespace name" should
> be used (see http://www.w3.org/TR/xml-names/#dt-NSName) or at least "XML
> namespace URI" should be put into Appendix A - Definitions and be
> properly defined here as a synonym of "namespace name".
> Insufficently defined context for XPath evaluation in  "10.6.1
> Selection of XML Documents or Fragments" 
> XPath 1.0 specification defines the following properties for context
> a node (the context node)
> a pair of non-zero positive integers (the context position and the
> context size)
> a set of variable bindings
> a function library
> the set of namespace declarations in scope for the expression
> 
> Only the context node is defined in this specification, other
> properties should be defined as well.
> 
> Typo in  "11.3 Namespace Context and Portable Signatures" 
> In addition, the Canonical XML and Canonical XML with Comments
> algorithms import all XML namespace attributes (such as xml:lang) from
> theā€¦
> There shouldn't be xml:lang, but namespace declaration attribute like
> xmlns:foo.
> 
> Also using entity references in examples as content of namespace
> declarations looks quite confusing.
> 
> "B.7.2 Base64" 
> Transformation as described assumes that operates on text node --
> otherwise it will always return empty string. I'm not sure whether this
> is correct assumption. Omitting operation 1) will fix this problem


Working Group Resolution (LC-2488):
Details of original XML Security WG response (and corresponding changes)
is here:
http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0026.html

Feedback with continued concern with "XML Namespace Attributes" language
(other changes accepted) in section 11.3:
http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0029.html (and
http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0030.html )
Formal endorsement of XML Core WG:
http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0038.html

XML Security WG resolution of issue, changing the language:
http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0040.html

Agreed at XML Security WG teleconference,
http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/att-0044/minutes-2011-09-13.html#item04

This change should address the concern by adopting revised text as
follows:

Original text:

   In addition, the Canonical XML and Canonical XML with Comments
algorithms **import**  **all**  **XML namespace attributes** (such as
xml:lang) from the nearest ancestor in which they are declared to the apex
node of canonicalized XML unless they are already declared at that node.
This may frustrate the intent of the signer to create a signature in one
context which remains valid in another.

Revised text:

[[
In addition, the Canonical XML and Canonical XML with Comments algorithms
define special treatment for attributes in the XML namespace, which can
cause them to be part of the canonicalized XML even if they were outside of
the document subset. Simple inheritable attributes are inherited from
nearest ancestor in which they are declared to the apex node of
canonicalized XML unless they are already declared at that node. This may
frustrate the intent of the signer to create a signature in one context
which remains valid in another.
]]

See http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0046.html

----
Received on Monday, 19 September 2011 20:24:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 September 2011 20:24:51 GMT