W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2005

Re: [Norman Walsh] Re: Test Case with xml-dsig

From: Richard Tobin <richard@inf.ed.ac.uk>
Date: Tue, 8 Feb 2005 17:53:28 +0000 (GMT)
To: ht@inf.ed.ac.uk (Henry S. Thompson), Norman Walsh <Norman.Walsh@Sun.COM>
Cc: John Boyer <JBoyer@PureEdge.com>, Joseph Reagle <reagle@mit.edu>, Gabe Wachob <gwachob@wachob.com>, public-xml-id@w3.org, w3c-ietf-xmldsig@w3.org
Message-Id: <20050208175328.589AF1F38DC@macintosh.inf.ed.ac.uk>

> Could you comment?
> 
> ht

>> Yes, thanks Henry. I don't think your example is actually complex
>> enough to demonstrate the problem though. If you canonicalize at the
>> root, there's no problem and if you canonicalize at internal, you get:
>> 
>>     <internal xml:base="../elsewhere" xlink:href="relative.html"/>
>> 
>> which is still OK. But add another level of hierarchy and I think
>> C14N does the wrong thing with xml:base too:
>> 
>>   <root xml:base="../elsewhere" xlink:href="relative.html">
>>     <intermediate xml:base="other">
>>       <internal xlink:href="relative.html"/>
>>     </intermediate>
>>   </root>
>> 
>> Now, by my reading of C14N, which may be incorrect, canonicalizing
>> internal would produce:
>> 
>>       <internal xml:base="other" xlink:href="relative.html"/>
>> 
>> which is wrong.

There are two problems: establising a initial base URI with which to
interpret relative URIs in the document at all, and interpreting
relative URIs when you only have a subtree of the document.

Canonical XML suggests solving the first problem by putting (absolute)
xml:base attributes on the document element.  If I understand
correctly this is supposed to be done by the application prior to
canonicalization, rather than being part of the canonicalization
process itself.  If this is done, neither Henry's not Norm's example
is relevant, since both have a relative xml:base on the root.  But if
the root has an absolute xml:base, it will be lost if there is an
intervening relative xml:base attribute above the root of the
canonicalized subset.

If the root is not given an absolute xml:base, then for the xml:base
attributes to work at all there must be some other mechanism by which
the base URI of the document is known.  In that case, Norm is right
that copying the nearest containing xml:base attribute only goes wrong
when there are two or more xml:base attributes at or above the root of
the canonicalized subset.

Canonical XML also suggests making *all* URIs in the document
absolute.  In that case there is no need for any xml:base atributes at
all, since there are no relative URIs to interpret.

-- Richard
Received on Tuesday, 8 February 2005 17:53:42 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.30 : Tuesday, 8 February 2005 17:53:42 GMT