Re: C14N work from Glenn Marcy on 2006-01-23 (public-xml-core-wg@w3.org from January 2006)

From: Glenn Marcy <gmarcy@us.ibm.com>
Date: Mon, 23 Jan 2006 14:37:03 -0500
To: public-xml-core-wg@w3.org
Message-ID: <OF6B888B29.3ACF17E6-ON852570FF.006781FD-852570FF.006BC460@us.ibm.com>
Paul wrote:
> [Glenn, some questions for you below.]

Sorry for the delay, just returned from my travels today.

> From what I can tell, we didn't really get any input on any
> of the questions above.  Specifically, folks argued about a
> 1.0 erratum versus 1.1, but no one addressed "if we create a 
> new namespace for C14N 1.1, what do we say the old namespace 
> means?"  And no one had any other suggestions on how to go
> about making a C14N 1.1 that minimized problems.
> 
> Glenn, is that correct, or did we miss something? 

That is my assessment as well.

> Glenn,
> 
> We are assuming you still agree with a 1.1 instead of an erratum
> to 1.0, correct?  Assuming so...

Agreed.

> > Henry points out we could produce a 1.1 and use the old identifier.
> > But Norm doesn't think we can do that.

The algorithm identifier is in the XML Signature specification, not
Canonical XML.  If nothing is changed in XML Signature the meaning
of the identifier might be considered by some to be ambiguous.

The current value is http://www.w3.org/TR/2001/REC-xml-c14n-20010315
which is always going to resolve to the original Canonical XML 1.0
Recommendation.  A second edition of Canonical XML 1.0 or a Canonical
XML 1.1 would each have a new resource identifier and so both have
the same issues with respect to the interpretation of the current
XML Signature algorithm identifier.

Either it is taken literally as the algorithm described by that
specific version of Canonical XML, or it could possibly be taken
as "the algorithm described by the most recent revision to the
specification that first appeared here".  Most of the responses
on the dsig mailing list suggest that the "safest" interpretation
would be that it does not include any revision.  Such a position
would require each revision be given a new algorithm identifier.

In either case a revision for XML Signature would be required,
either to assign a new algorithm identifier for the 1.1 revision
to C14N, or to clarify that the current algorithm identifier
corresponds to the latest revision to the C14N spec, presumably
until a new algorithm identifier were to be added for a more
significant change than this one.  However, I believe that one
could argue that if that were the case the original algorithm
identifier should have been http://www.w3.org/TR/xml-c14n and
not the version containing the date of publication.

> > We seem to be ready to produce a first WD of C14N 1.1.
> > 
> > ACTION to Glenn:  Produce an actual first editor's draft of C14N 1.1.
> > 
> 
> ... do you accept this action item?

Yes.  I've started to pull together bits and pieces of other such
revisions to see how they were handled.  Given what will probably be
a rather modest set of changes, I'm leaning towards the same working
draft format that Richard used for the first Namespaces in XML 1.1
working draft, which highlighted the differences between the 1.0
specification and the revision.
Received on Monday, 23 January 2006 19:37:20 UTC