RE: Followup on I18N Last Call comments and disposition from Martin J. Duerst on 2000-07-10 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Martin J. Duerst <duerst@w3.org>
Date: Mon, 10 Jul 2000 19:01:43 +0900
To: "John Boyer" <jboyer@PureEdge.com>, "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: <w3c-ietf-xmldsig@w3.org>, www-international@w3.org
Message-Id: <4.2.0.58.J.20000629161547.036bc380@sh.w3.mag.keio.ac.jp>

Hello John,

Many thanks for having a look at this. Please note that
we had quite some discussions with James Clark on this
(W3C member only) in the thread around
http://lists.w3.org/Archives/Member/w3c-xsl-wg/1999Sep/0262.html.

Given the pushback we have received at that point on a
xml:lang-specific solution to the problem, and the fact
that as you say in most cases where XPath or XSLT is used
in the context of signatures, it's not that much of a problem,
I would suggest to add a note about the problem (see e.g.
the note just before
http://www.w3.org/TR/xslt#section-Creating-Processing-Instructions)

Regards,  Martin.


At 00/06/28 09:15 -0700, John Boyer wrote:
>Hi Martin and Joseph,
>
>Regarding the treatment of xml:lang, I was concerned about the possible loss
>of this information by the XPath transform.  I was also concerned about the
>loss of xml:space and future xml: attributes (e.g. xml:base).
>
>The Xpath transform is now really just a call-through to the new
>canonicalization algorithm, which can take an XPath expression other than
>the default (the default expression renders the whole document except
>comments, which means it can be implemented without actually using XPath).
>
>However, Section 5 of the new c14n addresses document subsets, which is the
>only place where the loss of xml:lang and other xml related attributes can
>affect the meaning of information that is retained by the XPath expression.
>In that section, I added the requirement to obtain copies of attributes in
>the xml namespace from ancestors of an element E if E's parent is excluded
>from the node-set.
>
>Though a less onerous requirement than namespace propagation, it is
>identical in intent.  The loss of namespace information from ancestors is
>clearly a security risk, and it would be very difficult for an XPath
>expression author to account for this.  Likewise, the unintentional loss of
>xml:lang and similar attributes in the xml namespace is a security risk that
>would be too difficult to account for in the XPath expression.
>
>To be honest, most of the applications for document subsetting that I have
>in mind involve the elimination of a leaf or subtree of the parse tree, so
>the problem would not come up.  Nonetheless, XPath is a more generic
>feature, and to be 'in for a pound', we accounted for the problem.
>
>***************************************
>John Boyer,
>Software Development Manager
>
>PureEdge Solutions (formerly UWI.Com)
>Creating Binding E-Commerce
>
>v:250-479-8334, ext. 143 f:250-479-3772
>1-888-517-2675  http://www.PureEdge.com
>***************************************

Received on Monday, 10 July 2000 05:58:34 UTC