W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2002

Change request -- was Re: Alternative XPathFilter - a picture says more...

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Mon, 06 May 2002 20:14:18 +0200
To: merlin <merlin@baltimore.ie>
Cc: John Boyer <JBoyer@PureEdge.com>, reagle@w3.org, w3c-ietf-xmldsig@w3.org
Message-id: <44502150.1020716058@crypto>
--On Dienstag, 19. März 2002 23:48 +0000 merlin <merlin@baltimore.ie> wrote:

> Admittedly, it allows operations such as exclude an element in
> the middle of a tree, but include its children ("H" in your example),
> but I don't think that these features are compelling. People can use
> the old XPath if they need an operation as esoteric as that.

Hi Merlin,
hi all

First, in reply to Merlin's post[2], I'm happy to confirm that the current 
spec of "XML-Signature XPath Filter 2.0" [1] allows my esoteric suggestion 
from [3] ;-) (I attached the sample at this mail).

Now to I have a suggestion/change request about the "XML-Signature XPath 
Filter 2.0" [1]:

---
What I want: I want to be able to "merge" multiple, subsequent (directly 
followinf each other) xmldsig-xfilter2 transforms into a single transform.

---
Why I want it: First, this transform is cool - it really rules. This 
transform is very powerful in the ways how easily I (as a user) can express 
my wishes on what I want to sign - simply in a subtree language which is 
really intuitive. The real power of this transform becomes visible if I 
chain multiple of these transforms into a direct sequence: I can cut, 
divide, include, exclude, whatever I want. My own implementation has a very 
clean interface on what is given from a previous to a following transform: 
either an octet stream or an xpath node set. If I want to release the full 
power of this transform, I need all intersect/subtract/union information in 
my hands in a single transform. THEN I can speed up and touch every node 
only once. The processing model does not change: Multiple 'steps' (whereas 
e.g. a single union operation is a step) are applied in the order in which 
they appear in the transform.

---
How this could look like:

<ds:Transform Algorithm="http://www.w3.org/2002/04/xmldsig-filter2"
       xmlns:dsig-xpath="http://www.w3.org/2002/04/xmldsig-filter2">
  <dsig-xpath:XPath Filter="intersect"> //E </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="union">     //B </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="subtract">  //C </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="union">     //F </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="subtract">  //G </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="union">     //H </dsig-xpath:XPath>
</ds:Transform>
---

Note to the schema cracks: Here, I have multiple child elements put 
directly into the ds:Transform. If it's more philosphically correct, insert 
an intermediary element like that:

<ds:Transform Algorithm="http://www.w3.org/2002/04/xmldsig-filter2"
       xmlns:dsig-xpath="http://www.w3.org/2002/04/xmldsig-filter2">
  <dsig-xpath:XPathSequence>
  <dsig-xpath:XPath Filter="intersect"> //E </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="union">     //B </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="subtract">  //C </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="union">     //F </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="subtract">  //G </dsig-xpath:XPath>
  <dsig-xpath:XPath Filter="union">     //H </dsig-xpath:XPath>
  </dsig-xpath:XPathSequence>
</ds:Transform>

Regards,
Christian


[1] http://www.w3.org/Signature/Drafts/xmldsig-xfilter2/
    Revision v1.5
[2] 
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/0237.html
[3] 
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/att-0236/01
-xpath2filter_tree.gif


Received on Monday, 6 May 2002 14:10:19 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:15 GMT