W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2000

XPath serialization RE: Enveloped signatures

From: John Boyer <jboyer@PureEdge.com>
Date: Mon, 15 May 2000 13:13:20 -0700
To: "Petteri Stenius" <Petteri.Stenius@remtec.fi>, "TAMURA Kent" <kent@trl.ibm.co.jp>
Cc: "IETF/W3C XML-DSig WG \(E-mail\)" <w3c-ietf-xmldsig@w3.org>
Based on your comments below, it is clear that we will have to tweak the
XPath serialization description.  The problem is that your sample output for
the XPath serialization is not what was intended.  The sample output you
show for c14n is the output I expect to see from Xpath serialization.

The section is called XPath 'filtering' because we view the XML document as
a single tree.  The mental model is that of performing a standard, ordinary
depth first tree traversal, rendering only those nodes that are in the
node-set.  We are trying to regenerate the actual document minus the parts
that are excluded by the XPath expression.  Your implementation duplicates
the subtrees in each tree of the forest and generally creates an enormous

Obviously, I will have to make some changes so that this is clear, but
obviously agree on how the XPath serialization should generate most of its
output.  The serialization algorithm is quite similar to c14n, except in the
following ways:

1) The XPath serializer assumes a forest, so it handles fragmentary XML
2) The XPath serializer doesn't rewrite namespaces.
3) The XPath serializer doesn't do character model normalization.

Furthermore, the XML core WG just dropped C14N.  Since we need it to be
finished, they've handed it off to us, and we have the ability to change it
as necessary so that we finish.  When we are finished, there will be no
difference between c14n and XPath serialization, although I predict that
your current c14n code will be obsoleted.  Specifically, namespace rewriting
and character model normalization will be eliminated.

John Boyer
Software Development Manager
PureEdge Solutions Inc. (formerly UWI.Com)
Creating Binding E-Commerce

-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Petteri Stenius
Sent: Monday, May 15, 2000 12:16 PM
To: 'John Boyer'
Cc: IETF/W3C XML-DSig WG (E-mail)
Subject: RE: Enveloped signatures

I think it would be good if the XPath serialization and c14n were closer to
each other, or even equal!

I'm not saying I need a c14n after a XPath transform, I'm saying that the
whole process of doing an XPath transform is not possible in one pass.

A simple example should clarify:

	<Signature Id="S1">

The result node-set from the XPath expression for excluding the Signature
element is a list with the nodes:


The serialized output from the XPath expression is:


Output from the combination of exclude-signature transform + C14N
serialization is simply:



> -----Original Message-----
> From: John Boyer [mailto:jboyer@PureEdge.com]
> Sent: Thursday, May 11, 2000 10:17 PM
> To: Petteri Stenius; 'Joseph M. Reagle Jr.'
> Cc: IETF/W3C XML-DSig WG (E-mail)
> Subject: RE: Enveloped signatures
> I would be interested in knowing exactly why you feel you
> need c14n after an
> XPath transform.  After running the XPath expression, the result of
> serialization is quite similar to c14n in most respects and
> was written so
> that there would be no output ambiguities that did not result
> from changing
> the input document.  You should not need c14n, so one pass should be
> sufficient.
> Moreover, it seems that we are inheriting the c14n spec, and the two
> principal differences between the XPath serialization and
> c14n, which are
> namespace normalization and composed character normalization,
> are quite
> likely to be deleted (for reasons that will be discussed
> later).  Assuming
> this is true, though, means that the XPath serialization
> will, in essence,
> be equal to c14n.
> Thus, the only area of awkwardness that we are trying to
> overcome is the
> 'political' awkwardness of having applications provide support for a
> specific XPath exclusion transform without providing full
> XPath support.
> I don't mind if we want to do this, but the WG has avoided
> doing this in the
> past because it has, up to now, meant that we would have to repeat the
> definition of 'how to write' the result.  It's one thing to
> say 'I just want
> to exclude the Signature being created while calculating this
> DigestValue'
> but it's another thing entirely to recognize that you must
> still create a
> byte stream that can be digested.
> In other words, the enveloped-signature-transform still needs
> something like
> the XPath serialization to fit our current processing model.
> John Boyer
> Software Development Manager
> PureEdge Solutions Inc. (formerly UWI.Com)
> Creating Binding E-Commerce
> jboyer@PureEdge.com
Received on Monday, 15 May 2000 16:13:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:33 UTC