Re: Proposed change to XML Signature for RFC 2732 change - ACTION-79 from Thomas Roessler on 2007-08-13 (public-xmlsec-maintwg@w3.org from August 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 13 Aug 2007 10:59:21 +0200
To: Frederick Hirsch <frederick.hirsch@nokia.com>
Cc: XMLSec <public-xmlsec-maintwg@w3.org>
Message-ID: <20070813085921.GG14409@raktajino.does-not-exist.org>

On 2007-08-07 16:34:26 -0400, Frederick Hirsch wrote:

> From:
> "However, some Unicode characters are disallowed from URI references 
> including all non-ASCII characters and the excluded characters listed in 
> RFC3986 [URI, section 2.4]. However, the number sign (#), percent sign (%), 
> and square bracket characters re-allowed in RFC 2732 [URI-Literal] are 
> permitted."

> To:
> "Use of characters must follow the rules in RFC 3986. For example, RFC 3986 
> only permits square bracket characters within the host portion of a URI for 
> IPv6 to enclose an IPv6 literal IP address (Section 3.2.2 [URI]).  The 
> percent sign (%) must be percent-encoded as "%25" for that
> octet to be used as data within a URI since it serves as the indicator for 
> percent-encoded octets (Section 2.4 [URI]). The number sign (#) may be used 
> but must be percent-encoded where it might be confused for terminating a URI 
> and indicating a fragment."

Reading and re-reading both xmldsig-core and 2396, it appears as
though the intent of the text in xmldsig-core was to say something
along these lines:

  "XML-technically, everything is allowed, however, a URI-reference
  is more constrained. Please honor these constraints.  And btw, the
  following constraints aren't meant the way they are written."

-- specifically, '%' and '#' being on the list of excluded
characters even though they obviously appear in URI references and
therefore aren't really exlcuded.  (However, they are reserved, and
need to be encoded.)

The way that is written is confusing at best, and I don't think
we're doing ourselves (or anybody) a favor by listing more special
case rules simply re-state some requirements from 3986.

> Alternatively we could remove the text I've marked as from.

+1 to that.  The beginning of the next sentence could then be
changed to read as follows:

	Characters disallowed in URI references by [URI] MUST be
	escaped as specified in [URI]:

Note that this includes a borderline case of conformance changes
("must" -> "MUST"); however, in this case, it would appear that the
encoding is actually meant to be mandatory.  The only change against
the (old) URI spec seems to be mandating UTF-8.

Comments welcome.

> 2) Remove URI-Literal from list of references, i.e. remove:
>
> "URI-Literal
> RFC 2732. Format for Literal IPv6 Addresses in URL's. R. Hinden, B. 
> Carpenter, L. Masinter. December 1999.
> http://www.ietf.org/rfc/rfc2732.txt"

+1

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Monday, 13 August 2007 08:59:34 UTC