W3C home > Mailing lists > Public > xml-encryption@w3.org > June 2002

More Security Text about Ancestor Context of XML Attributes

From: Joseph Reagle <reagle@w3.org>
Date: Wed, 12 Jun 2002 10:49:34 -0400
To: xml-encryption@w3.org
Cc: "John Boyer" <JBoyer@PureEdge.com>, Martin Duerst <duerst@w3.org>, w3c-i18n-ig@w3.org
Message-Id: <20020612144934.506D38623E@aeon.w3.org>


http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/
$Revision: 1.206 $ on $Date: 2002/06/12 14:45:39 $ GMT by

   Similar attention between the relationship of a fragment and the
   context into which it is being inserted should be given to the
   xml:base, xml:lang, and xml:space attributes as mentioned in the
   Security Considerations of [XML-exc-C14N]. For example, if the element
   <Bongo href="example.xml"/> is taken from a context and serialized
   with no xml:base [XML-Base] attribute and parsed in the context of the
   element:

   <Baz xml:base="http://example.org/"/>

   the result will be:

   <Baz xml:base="http://example.org/"><Bongo href="example.xml"/></Baz>

   where Bongo's href is subsequently interpreted as
   "http://example.org/example.xml". If this is not the correct URI,
   Bongo should have been serialized with its own xml:base attribute.
   Unfortunately, the recommendation that xmlns="" be emitted to divorce
   (reset) the default namespace of the fragment from the context into
   which it is being inserted can not be made for the XML attributes
   xml:base, xml:lang, and xml:space. The meaning of an empty attribute
   value is undefined or maintains the contextual value. Consequently,
   applications SHOULD ensure (1) fragments that are to be encrypted are
   not dependent on XML attributes, or (2) if they are dependent and the
   resulting document is intended to be valid [XML], the fragment's
   definition permits the presence of the attributes and that they 
   have non-empty values.

-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Wednesday, 12 June 2002 10:50:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:03 UTC