W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2005

Transforms Specification in DSIG

From: DeMartini, Thomas <Thomas.DeMartini@CONTENTGUARD.COM>
Date: Wed, 23 Mar 2005 13:32:17 -0800
Message-ID: <80AA6DF2767B8C48B75A58C2730E2E1D01BA7A@cgesmail1.CONTENT-GUARD.COM>
To: <w3c-ietf-xmldsig@w3.org>
This is a question about an ambiguity in the transforms specification in
DSIG.  DSIG says that transforms can take as input/output octet streams
or node sets.  I am concerned here with the case of node sets.

 

It is unclear to me what a node set is and how it is represented.
Consider, for instance, the example in section 4 of
http://www.w3.org/TR/xmldsig-filter2/, which outputs a node set that
"looks like"

 

   <ToBeSigned>
       
       <Data />
       <ReallyToBeSigned>
           
           <Data />
         </ReallyToBeSigned>
     </ToBeSigned><ToBeSigned>
       <Data />
      
   </ToBeSigned>

 

Now obviously the above is not actually a node set, but some
serialization of a node set.  My question has to do with what kind of
information is in the *actual* node set (rather than the serialization).
Recall that in the original document the <ReallyToBeSigned> node was a
child of a <NotToBeSigned> node.  In the *actual* node set that is
output from the transform, does the ReallyToBeSigned node still know
that its parent is a <NotToBeSigned> node event though the
<NotToBeSigned> node is not part of the output node set?  It makes a
difference, if, for instance, inside of a <dsig:Transforms> element I
had two <dsig:Transform> elements, the first one being as shown in the
above example and the second one being a transform that selects all
nodes whose direct parent is named "NotToBeSigned".

 

If the "ReallyToBeSigned" node in the *actual* node set that is passed
to the input of the second transform knows that its parent is
"NotToBeSigned", then it will also be output from the second transform.
If, however, the node forgets what its parent was, then it will excluded
from the output of the second transform.

 

So my first question can be formulated as:

1) Do the nodes in the output node set still exist within the context of
the input document, thereby remembering their parents/children in the
original input document?

 

My next question applies in case the answer to question #1 is that they
do not exist within the context of the input document.  Let's say the
second transform in my list selected all nodes whose direct parent is
named "Data".  If the <ReallyToBeSigned> node remembers that its parent
is <NotToBeSigned> or if it forgets its parent altogether and becomes
"unparented", then it will not be included in the output node set of the
second transform.  If, however, the <ReallyToBeSigned> node becomes
reparented to the "Data" node, then it will be included in the output
node set of the second transform.

 

So my second question can be formulated as:

2) If the nodes in the output node set no longer exist within the input
document, do they become "unparented" or do they become "reparented",
existing within the context of a new output document consisting only of
the nodes in the output node set?

 

If the answer to 1 and 2 is that the nodes in the output node set become
reparented, then I assume it is okay to serialize the node set to a
string for the purposes of passing it to another transform as input,
which transform implementation can then recreate the node set using its
own data structures and operate on it.  If the answer to 1 and 2 is that
the nodes in the output node set remain within the original input
document, then I assume I need to pass an array of nodes (each with
information about its original document) from one transform to the next.
If the answer to 1 and 2 is that the nodes in the output node set become
"unparented", then I am unclear what I should pass from one transform to
the next.

 

So my third question can be formulated as:

3) How should I pass a "node set" output from one transform as input to
the next in a way that is generic enough that any node set can be fully
represented without loss of information?

 

My final question has to do with serialization of a node set including
attribute nodes whose corresponding element nodes are not in the node
set.  Suppose "ReallyToBeSigned" were actually an attribute, say as
follows:

 

<ToBeSigned>

  <NotToBeSigned ReallyToBeSigned="signme"/>

</ToBeSigned>

 

Certainly once NotToBeSigned is removed from the output node set we
wouldn't want to serialize the output node set as

 

<ToBeSigned>ReallyToBeSigned="signme"</ToBeSigned>

 

or would we?

 

So my fourth question can be formulated as:

4) How should I  serialize a node set containing an attribute node if
the corresponding element node is not in the node set?

 

Thanks in advance for any clarification you can provide,

&Thomas.

 
Received on Thursday, 24 March 2005 02:22:00 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.30 : Thursday, 24 March 2005 02:22:02 GMT