W3C home > Mailing lists > Public > public-xmlsec@w3.org > November 2012

Re: Comment for XML Signature Syntax and Processing Version 1.1 Working Draft 18 October 2012 (re: here() function)

From: G. Ken Holman <gkholman@CraneSoftwrights.com>
Date: Thu, 08 Nov 2012 16:03:32 -0500
Message-Id: <7.0.1.0.2.20121108155320.024746d0@wheresmymailserver.com>
To: <Frederick.Hirsch@nokia.com>,<cantor.2@osu.edu>
Cc: <Frederick.Hirsch@nokia.com>,<sean.mullan@oracle.com>, <edsimon@xmlsec.com>,<public-xmlsec@w3.org>
At 2012-11-08 20:49 +0000, Frederick.Hirsch@nokia.com wrote:
>This issue was noted in 2002, but no namespace was 
>added: 
><http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002OctDec/0033.html>http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002OctDec/0033.html 
>
>
>It looks to me that the intent is to augment the XPath library with 
>the here() function without a namespace prefix - possibly the 
>original thinking was that it would be added to the standard XPath 
>library but there is no documentation of that thinking (perhaps Ed 
>or Brian remember).
>
>The current text in section 6.6.3 says in the bullet list:
>    * A library of functions equal to the function set defined in 
> [<http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/#bib-XPATH>XPATH] 
> a function named 
> <http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/#function-here>here.
>
>This corresponds to the idea that the library is augmented with 
>here() and thus it should not be prefixed, but treated by the 
>implementation as if it were part of XPath.
>
>Thus an implementation of signature should treat an XPath 
>implementation as having here() as part of the library. This also 
>avoids the potential of  namespace wrapping attacks noted by Meiko, 
>http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0000.html
>
>Thus could we argue no change is needed apart from the editorial fix 
>to the bullet to read as follows:
>    * A library of functions equal to the function set defined in 
> [<http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/#bib-XPATH>XPATH] 
> augmented with a function named 
> <http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/#function-here>here 
> to be treated as if part of the library (and not namespace prefixed).
>Regardless of how an implementation is built is will need to augment 
>the XPath library with here() to support XML Signature.
>
>Thoughts?

This was raised in another email thread, using the evidence that XSLT 
and XQuery are two languages that augment without conflicts the list 
of available functions in an XPath implementation with function names 
in no namespace.

I acknowledged that as suitable evidence for the established practice 
of a specification augmenting XPath with their own functions.  But I 
noted my initial concerns were that this might be a restriction for 
off-the-shelf XPath implementations.  I now think DigSig joins XSLT 
and XQuery as precedents for off-the-shelf XPath implementations to 
allow the no-namespace function list to be augmented.

I still question if some implementers might have problems rewriting 
the transform expression in "pure XPath" to implement some task, but 
I guess that just goes with the territory.

In that other email thread I noted I was mollified by this argument 
of established practice.  I'm prepared to withdraw my concerns.  I do 
not have credentials to <public-xmlsec@w3.org> in order to post that 
the issue appears to have been properly addressed from the start and 
that my worries were unfounded.

Thank you for your patience with me.

. . . . . . . . . . Ken

--
Contact us for world-wide XML consulting and instructor-led training
Free 5-hour lecture: http://www.CraneSoftwrights.com/links/udemy.htm
Crane Softwrights Ltd.            http://www.CraneSoftwrights.com/m/
G. Ken Holman                   mailto:gkholman@CraneSoftwrights.com
Google+ profile: https://plus.google.com/116832879756988317389/about
Legal business disclaimers:    http://www.CraneSoftwrights.com/legal
Received on Thursday, 8 November 2012 21:04:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 8 November 2012 21:04:07 GMT