Re: Potential issues in XML Schema files pointed out from XML Sig v1.1?

Thanks for this Scott and Hal,

I see your point...however, I tend to think that there is no point in 
having a driver file that points to nowhere, and IMHO this should be 
changed to point to the right place: as it is  now it is basically 
making a wrong statement.

Also, even if I agree in that security issues would advice that 
implementers get copies of the XML Schema files and get them from their 
local store, to put in xmlsig11 the right pointer to the xmlsig, would 
publicly declare within this XML Schema file where to get that other xml 
schema...then implementers could store them wherever they want....or do 
you think that doing that this could bring some security issue for 
implementers that once downloaded the right xml schema files just make 
use of these locally stored files?

Juan Carlos
El 08/06/15 a las 17:52, Hal Lockhart escribió:
> If you really need this capability, the easiest solution would be to ask Admin at W3C to establish the required alias URI.
>
> As Scott has pointed out, the need to retrieve the schema should be rare and not a routine operational process.
>
> Hal
>
>> -----Original Message-----
>> From: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu]
>> Sent: Monday, June 08, 2015 7:40 AM
>> To: public-xmlsec@w3.org
>> Subject: Potential issues in XML Schema files pointed out from XML Sig
>> v1.1?
>>
>> Dear all,
>>
>> When looking at the XML Schema files pointed by XML Sig v1.1 I have
>> found the following:
>>
>> 1. At the so-called "driver" file, at
>> http://www.w3.org/TR/xmldsig-core1/xmldsig1-schema.xsd, I have noticed
>> the following include:
>>
>> <include
>> schemaLocation="http://www.w3.org/TR/2008/REC-xmldsig-core-
>> 20080610/xmldsig-core.xsd"/>
>>
>> Please note that trying to retrieve a file from the URI within
>> schemaLocation attribute results in a file not found error
>> (404)....instead making a retrieve operation on
>> "http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/xmldsig-core-
>> schema.xsd"
>> results in the correct file.
>>
>>
>>
>>
>> 2. At the xml schema file in
>> http://www.w3.org/TR/xmldsig-core1/xmldsig11-schema.xsd, corresponding
>> to the xml schema for types and elements within xmldsig11 namespace,
>> the two first lines are:
>>
>> <schema targetNamespace="http://www.w3.org/2009/xmldsig11#"
>> version="0.1" elementFormDefault="qualified"> <import
>> namespace="http://www.w3.org/2000/09/xmldsig#"/>
>>
>> but the import element does not have the schemaLocation attribute that
>> allows applications to automatically retrieve the xml schema defining
>> types and elements for xmldsig namespace...shouldn't it be such a
>> schemaLocation with a value http://www.w3.org/TR/2008/REC-xmldsig-core-
>> 20080610/xmldsig-core-schema.xsd?
>>
>>
>> Could you please confirm if you also see them as issues that could need
>> to be fixed? and if so, could you please make an estimation on how and
>> when they could be fixed?
>>
>>
>> Best regards
>>
>> Juan Carlos.
>>
>>

Received on Monday, 8 June 2015 17:07:10 UTC