RE: Tentative signature over C14N examples from John Boyer on 2000-10-11 (w3c-ietf-xmldsig@w3.org from October to December 2000)

From: John Boyer <jboyer@PureEdge.com>
Date: Wed, 11 Oct 2000 08:40:50 -0700
To: "Petteri Stenius" <Petteri.Stenius@done360.com>
Cc: <xmldsig-interop@pothole.com>, "XML DSig" <w3c-ietf-xmldsig@w3.org>
Message-ID: <BFEDKCINEPLBDLODCODKMELCCFAA.jboyer@PureEdge.com>
Hi Petteri,

Please note the following sentence, which leads the fifth paragraph of
section 2.1:

"The input octet stream MUST contain a well-formed XML document, but the
input need not be validated. However, the attribute value normalization and
entity reference resolution MUST be performed in accordance with the
behaviors of a validating XML processor."

Example 3.5 is designed to ensure that implementations conform with this
requirement (so that validating and non-validating processors have the same
output).

Thanks,
John Boyer
PureEdge Solutions Inc.

-----Original Message-----
From: w3c-ietf-xmldsig-request@w3.org
[mailto:w3c-ietf-xmldsig-request@w3.org]On Behalf Of Petteri Stenius
Sent: Wednesday, October 11, 2000 5:54 AM
To: 'John Boyer'
Cc: xmldsig-interop@pothole.com; XML DSig
Subject: RE: Tentative signature over C14N examples



Does not the "Entiry References" sample in chapter 3.5 of [1] require a
validating parser because of the external entity references?

The spec does not require a validating parser, should not the sample be
changed to not require a validating parser?

Petteri

[1] http://www.w3.org/TR/2000/WD-xml-c14n-20000907

> -----Original Message-----
> From: John Boyer [mailto:jboyer@PureEdge.com]
> Sent: Friday, October 06, 2000 9:53 PM
> To: merlin@baltimore.ie
> Cc: xmldsig-interop@pothole.com; XML DSig
> Subject: RE: Tentative signature over C14N examples
>
>
> Hi Merlin,
>
> Note that your message did not go to the DSig list.
>
> <merlin>
> <snip/>
> Note that I do not concur with the spec for example 4: I don't
> understand the subtlety of marking the attribute as an ID; my
> nonvalidating parser treats it no differently.
> </merlin>
>
> <john>
> Yes, your non-validating parser should have no trouble with
> the id attribute
> of normId.  A validating parser, however, should get a little
> choked up
> about the ID attribute because the attribute should conform
> to NmToken but
> doesn't.
> I also notice that your example 4 did not strip out the
> leading and trailing
> whitespace for that attribute's value.  The example in
> c14n-20000907 is
> wrong for not doing that.
> By saying that your non-validating parser treats it no
> differently, are you
> saying that your non-validating processor does not realize that the
> attribute is identified as an ID attribute?
> If so, please see Section 5.1 of the XML specification
> regarding conformance
> of non-validating processors.
>
> Though not applicable to this example, please also note the
> following from
> Section 2.1 of C14N:
> "The input octet stream MUST contain a well-formed XML
> document, but the
> input need not be validated. However, the attribute value
> normalization and
> entity reference resolution MUST be performed in accordance with the
> behaviors of a validating XML processor."
> This requirement means that a non-validating processor can be
> used, but the
> c14n implementation is required to augment the processor by
> reading the
> external DTD subset for the additional declarations.
> </john>
>
> <merlin>
> Neither do I concur with the spec for example 7: I do not see
> a justification for xmlns="".
> </merlin>
>
> <john>
> The justification is that e3 is not namespace qualified in
> the input, so it
> should not be namespace qualified in the output.  The problem is that,
> unfortunately, the XPath data model represents an empty
> default namespace
> with the absence of a node, not with the presence of a
> default namespace
> node having an empty value.  Thus, w.r.t. e3, we cannot tell
> the difference
> between <e2 xmlns=""><e3/></e2> versus <e2><e3
> xmlns=""/></e2>.  All we know
> is that e3 was not be namespace qualified on input, so we
> preserve this
> information on output.
> </john>
>
> <merlin>
> I tweaked the XPath on example 7 to suit signature processing.
> </merlin>
>
> <john>
> Perhaps you could provide the full XPath transform that
> you've used.  I'm
> pretty sure your tweak is fine, but I'd like to see the
> declaration of the
> ieft prefix.  BTW, is there some reason why you didn't use
> the subexpression
> inside the square brackets of example 7?
> </john>
>
> <merlin>
> John, I presume that xml:foo attributes are sorted using the
> standard value for xmlns:xml if none else is specified?
> </merlin>
>
> <john>
> Yes.  The default value for the xml prefix provides the
> namespace URI that
> functions as the primary key of attributes beginning with the
> xml: prefix.
> </john>
>
> <merlin>
> Also, the NOTATION needs a SYSTEM.
> </merlin>
>
> <john>
> Yikes! I will fix that immediately.
> Canonical form is unaffected-- unfortunately :(
> </john>
>
> Merlin
>
Received on Wednesday, 11 October 2000 11:44:13 UTC