W3C home > Mailing lists > Public > www-tag@w3.org > April 2002

Are QNames in Attribute Values Permitted as Identifiers?

From: Joseph Reagle <reagle@w3.org>
Date: Fri, 19 Apr 2002 11:26:38 -0400
Message-Id: <200204191526.LAA11594@tux.w3.org>
To: ian@w3.org, www-tag@w3.org
Cc: bobatk@microsoft.com, w3c-ietf-xmldsig@w3.org, www-xkms@w3.org

I'm noting that QNames are increasingly being used as identifiers within 
specifications. For example, XKMS is moving this way given the precedence 
set by SOAP, I'm seeing it in other ws-security work as well.

My primary question is an architectural one: are these acceptable 
replacements for URIs as identifiers within our specifications? (They're 
certainly easier to read!) What is the identifier, the string "foo:bar" or 
the tuple [0]? Do we expect all specs to treat them uniformly in the next 
version of XML? What about present versions?

My second question is an unfounded question about security implications. I 
haven't thought it through, but I wonder if there's any security 
ambiguities arising from the use of QNames as identifiers within an 
attribute value. When you sign a document via XML Canonicalization, it's 
attribute value is a string-value (not an "expanded-name" in XPath 
terminology, nor a QNAME in others'), but it also doesn't rewrite prefixes 
either so I feel safe. UDDI's schema-centric c14n [1] does rewrite 
namespace prefixes [2], but it's also schema centric -- I'm not sure what 
the result is there. (Bob?) And in other applications, where both sorts of 
processing might be done (attributes as strings versus QNAMEs) it's hard to 
say...

[0] http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/#QName
[1] http://www.uddi.org/pubs/SchemaCentricCanonicalization-20020213.htm
[2] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/0204
Received on Friday, 19 April 2002 11:26:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:06 GMT