Re: Decryption Transform comments from Donald E. Eastlake 3rd on 2001-11-11 (xml-encryption@w3.org from November 2001)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Sun, 11 Nov 2001 10:25:33 -0500
To: <hirsch@zolera.com>
cc: <IMAMU@jp.ibm.com>, <xml-encryption@w3.org>
Message-Id: <200111111525.KAA0000103491@torque.pothole.com>

Hi,

I believe XPath should add the namespace declaration to all descendent
elements. This behaviour, which destroys a good part of the
information about where namespace declarations were in the original
input, is one reason for the complexity of canonicalization...

Donald


From:  "Frederick Hirsch" <hirsch@zolera.com>
Reply-To:  <hirsch@zolera.com>
To:  <IMAMU@jp.ibm.com>
Cc:  <xml-encryption@w3.org>
Date:  Fri, 2 Nov 2001 14:28:56 -0500
Message-ID:  <HNEILHLKDJAILJJBNELPGEIMCGAA.hirsch@zolera.com>

>Takeshi,
>
>I was thinking of the document which will have a portion signed, but now I'm
>thinking this is an application issue, not a Transform issue.
>
>The reason I was thinking this was due to the exclusive canonicalization
>issues, and what happens when a portion of XML is signed and then possibly
>removed from the document along with the signature, as might occur with XML
>protocol applications.
>
>For example if foo:b is to be signed, then later removed from the document
>along with the signature:
>
><a xmlns:foo="http://www.foo.org/">
>   <foo:b>
>      <EncyptedData>...</EncryptedData>
>   </foo:b>
></a>
>
>I understand that the InfoSet includes the namespace declarations
>appropriate to b, so the question is when and how to correctly serialize -
>it could be the responsibility of the application when it removes the b
>element during processing. That is what makes sense to me, so there is no
>need to change the recommendation for this
>
>Earlier I was thinking this had to happen during signing (making the
>explicit namespace declaration in b). XPath will not necessarily add the
>namespace declaration to the b element (at least the processor I tried does
>not), so I believe canonicalization would be needed to force the explicit
>namespace declaration at b:
>
>   <foo:b xmlns:foo="http://www.foo.org/">
>      <EncyptedData>...</EncryptedData>
>   </foo:b>
>
>So the transforms would be canonicalize, Xpath and Decryption transform, in
>that order.
>
>But if it is up to the application after the signature has been created,
>then it is not a transform issue.
>
>---
>Frederick Hirsch
>Zolera Systems, http://www.zolera.com/
>Information Integrity, XML Security

Received on Sunday, 11 November 2001 10:28:07 UTC