W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2001

Comment from PR Review: Is XML1.0 parsing well-formed or validating?

From: Joseph Reagle <reagle@w3.org>
Date: Thu, 6 Sep 2001 09:31:22 -0400
To: XML Signature WG <w3c-ietf-xmldsig@w3.org>
Message-Id: <20010906133122.CC89D87620@policy.w3.org>


The following question asks what the parsing method is for XML1.0: 
well-formed or validating? I've presumed this is up to the applications, 
and most applications, if they want validating, will provide information 
necessary for that validation (e.g., a doctype). Should we provide a 
transform that makes it clear that one application requires validated 
parsing for signature validity (and consequently default attributes might 
be present where they wouldn't have otherwise), make validating parsing the 
default, or is the present state sufficient? 


[1] 4.3.3.2 The Reference Processing Model
> >
> >   "If the data object is an octet stream and the next transform
> >    requires a node-set, the signature application MUST attempt
> >    to parse the octets yielding the required node-set."
> >
> > It is not stated whether the octets should be parsed in validating or
> > well-formed mode. This ambiguity may lead to interoperability problems
> > (default attributes). Please specify in which manner the octets should
> > be parsed. Well-formed mode would appear to be appropriate, as DTD
> > information will often be unavailable and schema validation is
> > available as an explicit transform.
> >
> > It might also be appropriate to add a security warning about variance
> > in the validation of a document between signing and verification. For
> > example, if a self-signed document is generated without validation and
> > verified with validation, then default values introduced by the
> > schema/DTD may result in a signature verification error.
Received on Thursday, 6 September 2001 09:31:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:36 UTC