- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Tue, 15 Jun 1999 12:52:31 -0400
- To: <rdbrown@GlobeSet.com>
- Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
>In the XML-DSIG draft specification, I have proposed the use of XLink
>because they do not mandate the URI portion. By default, an XLink refers
>to the containing resource, thence allowing relative references. I
>strongly feel that mandating the use of URI will render the
>specification inapplicable to XML applications that heavily rely upon
>composition (IOTP, eCheck, BIPS...). Recall that, before all, they
>authenticate XML elements and not necessarily XML documents.
I think I agree and had reformulated it yesterday as (sorry for all the
updates, but it will freeze tomorrow for FTF discussion and I'm trying to be
as responsive as possible till then):
>XML-Signatures can be applied to any Web resource -- including non-XML
>content. XML-Signature referents are identified with URIs that refer to
>external or internal resources (i.e., network accessible or within the
same
>XML document/package). [Berners-Lee, Reagle, Brown, List(Vincent)]
Perhaps it make more sense to use the XLink terminology of locator? (I'm
open to alternative wordings -- feel free to make a proposal.) Which
specifies:
Locator
Locator ::= URI
| Connector (XPointer | Name)
| URI Connector (XPointer | Name)
Connector ::= '#' | '|'
URI ::= URIchar*
Regardless, we are going to have to give more thought to the processing
model of XLink/Xptr, which I raised on the workshop list. [4] To prompt this
I also had added the following terms [3]:
6. XML-Signature applications must
1. understand XML-Pointers [XPointer]. Applications will
reference/select parts of XML documents using XML-Pointer.
[Reagle]
2. understand XML-namespaces [XML-namespaces] in the creation of
its own signature syntax. Applications may optionally choose
C14N algorithms which do or do not process namespaces.
3. understand XLink. Applications will use XLink to reference
signed resources in the manifest. Applications do not embed
or expand XLink references in the signed content, though
applications may optionally choose C14N which provide this
feature.
Another question I have, which I've wondered about in the Jetforms
submission (slow getting to our site as a NOTE, but should be up soon) is
are the following two identical?
1. select then C14N
2. C14N then select
Depending on how/if we permit XPtr, these two operations will not result in
the same fragment from which one generates a hash. If one selected a XPtr
spanning term, that included two attribute location terms (or string terms)
as its bounds, the C14Nical re-ordering of attributes will goof things. (See
sectin 3.7 [3])
____
[1] http://www.w3.org/TR/WD-xlink#addressing
[2] http://www.w3.org/Signature/Drafts/xml-dsig-requirements-990601.html
[3] http://www.w3.org/TR/WD-xptr
[4] http://lists.w3.org/Archives/Public/w3c-xml-sig-ws/1999May/0000.html
Resources, XPointer, and Fragment Identifiers
Joseph M. Reagle Jr. (reagle@w3.org)
Thu, 06 May 1999 16:20:54 -0400
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Joseph M. Reagle Jr.: "Draft Charter"
-----------------------------------------------------------------------------
---
Message-Id: <3.0.5.32.19990506162054.00a287d0@localhost>
Date: Thu, 06 May 1999 16:20:54 -0400
To: "XML-DSig Workshop" <w3c-xml-sig-ws@w3.org>
From: "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: "Daniel Veillard" <veillard@w3.org>, bill.smith@sun.com
Subject: Resources, XPointer, and Fragment Identifiers
[I'm raising this issue while it's fresh in my mind and to put it on the
issues list of the WG once it is formed.]
I was talking to Philipp Hoschka (W3C Architecture Domain Lead) about some
of the coordination issues with XML and we spent a small amount of time
talking about filters, selectors, and XPointer when I said signed-XML was
probably going to punt on the issue of using "filters" to say which elements
and sub-blocks are signed. Or, only go as far as requiring that if an
element block wants to be signed, it should have an ID attribute specified
that can be referenced in a locator in the manifest. Philipp responded by
stating that if you permit URIs, then you permit XPointer. [1] Were we going
so far as to say only URIs, or only certain types of URIs. (He also
mentioned that XSL selectors and XPtr should converge.)
This seems odd to me in the following way. signed-XML will be a XML 1.0
application, but need it be an XPtr application, do they mean the same
thing? Imagine one implementor who supports XPtr and uses them in his
manifest, and another who doesn't. The semantics are not shared and in a way
that is dangerous to interoperability. I'm comfortable with the idea of a
signed-XML application failing on the fact that it doesn't recognize a HTTP
scheme (e.g., locator="foobar:ASF*&@#$~~"). But less comfortable on failing
because of fragment identifiers.
Presently, Richard Brown's signed-XML draft states that:
Locator: Locator value that contains either a URI [RFC 2396], a
fragment identifier, or both. Notice that making use of a
fragment identifier for a document content other than XML is
out of the scope of this draft proposal and may lead to
inconsistent results.
This certainly seems true. But I think we should be more specific. Also,
this might even be true in XML if XPtr is used, because the semantics of the
content after the "#" (i.e., "http://*#stuff") is defined by the MIME type.
Does the registered MIME type specify XPtr?
[1] http://www.w3.org/TR/WD-xptr
___________________________________________________________
Joseph Reagle Jr. http://www.w3.org/People/Reagle/
Policy Analyst mailto:reagle@w3.org
-----------------------------------------------------------------------------
---
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Joseph M. Reagle Jr.: "Draft Charter"
_________________________________________________________
Joseph Reagle Jr.
Policy Analyst mailto:reagle@w3.org
XML-DSig Co-Chair http://w3.org/People/Reagle/
Received on Tuesday, 15 June 1999 12:52:38 UTC