Fwd: XML Canonicalization and "xml:" XML namespace declarations from Konrad Lanz on 2008-10-20 (public-xmlsec-comments@w3.org from October 2008)

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Mon, 20 Oct 2008 17:30:48 +0200
To: hoylen@hoylen.com
CC: XMLSec WG Public List <public-xmlsec@w3.org>, public-xmlsec-comments@w3.org, www-xml-canonicalization-comments@w3.org
Message-ID: <48FCA428.2010506@iaik.tugraz.at>
Dear Sue Hoylen,

Sue Hoylen wrote:
> In its maintenance of the XML Canonicalization and Exclusive XML
> Canonicalization specifications, could the Working Group please
> explicitly clarify how  declarations of the "xml:" XML namespace are
> to be handled?

Thanks for your comment, we do think however that the current spec gives
sufficient guidance about what happens to declarations of the "xml:" XML
namespace.

The Processing Model of Canonical XML (C14n)
http://www.w3.org/TR/xml-c14n.html#ProcessingModel states:
> To finish processing L, simply process every namespace node in L,
> except omit namespace node with local name xml, which defines the xml
> prefix, if its string value is http://www.w3.org/XML/1998/namespace.

Which means that these namespace declarations are never rendered in the
canonical form.

There should also not be any effects on the XPath data model, as it states:

http://www.w3.org/TR/xpath#namespace-nodes :
> Each element has an associated set of namespace nodes, one for each
> distinct namespace prefix that is in scope for the element (including
> the |xml| prefix, which is implicitly declared by the XML Namespaces
> Recommendation [XML Names] <http://www.w3.org/TR/xpath#XMLNAMES>)
> and one for the default namespace if one is in scope for the element.

kind regards

Konrad Lanz for the XML Security Working Group

P.S.: Some more answers to your comment ...

Begin forwarded message:
> I couldn't figure out from the XML Security Working Group's public
> Web page how the public can contact the WG (or if the WG even wants
> such input).

Please feel free to use the list mentioned below and we are happy to
receive comments.

public-xmlsec-comments@w3.org
http://lists.w3.org/Archives/Public/public-xmlsec-comments/

> So I'm sending this email to you.  If there is an appropriate place
> to raise this issue, then please do so; otherwise, you may ignore it.

Your comment was raised here:
http://lists.w3.org/Archives/Public/public-xmlsec-comments/2008Oct/0000.html

> The unique behaviour of the XML namespace makes the interpretation of
> the canonicalization rules ambiguous.  The unique behaviour comes
> from section 3 of Namespaces in XML 1.0 (Second Edition) [1] where it
> says: "It may, but need not, be declared, and must not be bound to
> any other namespace name."

If your question has not been answered, please elaborate more on this.

> Consider a source XML document, which we will call S0: 
> S0: <a><b><c xml:id="C"/></b></a>

> If we wanted the canonicalized form of the document subset /a/b,
> there are four possible forms:

> C0: <b><c xml:id="C"></c></b>
> C1: <b><c xmlns:xml="http://www.w3.org/XML/1998/namespace"
>     xml:id="C"></c></b>
> C2: <b xmlns:xml="http://www.w3.org/XML/1998/namespace"><c
>     xml:id="C"></c></b>
> C3: <b xmlns:xml="http://www.w3.org/XML/1998/namespace"><c
>     xmlns:xml="http://www.w3.org/XML/1998/namespace"
>     xml:id="C"></c></b>

C0.

> Canonical XML Version 1.1 implies (through an example) that the
> canonical form of S0 is C0.  However, I have seen an implementation
> use C1 as the canonical form -- I think this is incorrect, but cannot
> point to anything in the specification that says it is wrong.

You should have now, see above.

> Consider another source XML document, which we will call S4:
> S4: <a xmlns:xml="http://www.w3.org/XML/1998/namespace"><b><c
>     xml:id="C"/></b></a>

C0.

> The Canonical XML Version 1.1 Recommendation could mean that the
> canonical form of a/b from S4 is C2.  It could also be interpreted as
> C0.  It is ambiguous how the statement that "it may, but not need,
> be declared" is to be interpreted in the context of canonicalization.

Well as said above the xml namespace *IS* always defined.

> Consider another source XML document, which we will call S1:
> S1: <a><b><c xmlns:xml="http://www.w3.org/XML/1998/namespace"
>     xml:id="C"/></b></a>

> Is the canonical form of /a/b form of S1 represented by C0, C1, C2 or C3?

C0.

> The Canonical XML specification needs to be explicitly clear which is
> the canonical form when declarations of the XML namespace is
> involved.

> I suggest that a normative rule be explicitly stated that: xmlns:xml
> declarations must NOT appear anywhere in the canonical XML.

Please, see above. But we may consider to add some more explicit language.

> So C0
> is always the canonical form for all the examples mentioned in this
> email.

Correct.


> P.S. The above example documents were drawn from a set of 8 possible
> combinations. Some of these other documents are useful when
> considering the rules for the behaviour of Exclusive XML
> Canonicalization.
>
> <!ENTITY X "xmlns:xml='http://www.w3.org/XML/1998/namespace'">
>
> S0: <a><b><c xml:id="C"/></b></a>
> S1: <a><b><c &X; xml:id="C"/></b></a>
> S2: <a><b &X;><c xml:id="C"/></b></a>
> S3: <a><b &X;><c &X; xml:id="C"/></b></a>
> S4: <a &X;><b><c xml:id="C"/></b></a>
> S5: <a &X;><b><c &X; xml:id="C"/></b></a>
> S6: <a &X;><b &X;><c xml:id="C"/></b></a>
> S7: <a &X;><b &X;><c &X; xml:id="C"/></b></a>
>
>
> [1] <http://www.w3.org/TR/2006/REC-xml-names-20060816/> --

-- 
Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520
http://www.iaik.tugraz.at/content/about_iaik/people/lanz_konrad/
http://jce.iaik.tugraz.at

Certificate chain (including the EuroPKI root certificate):
https://europki.iaik.at/ca/europki-at/cert_download.htm
Received on Monday, 20 October 2008 15:55:24 UTC