C14N11 Issue and proposal: Unclear handling of unspecified attributes in xml namespace

Issue: C14N11 [1] does not define what happens with attributes in the  
xml namespace not mentioned in the C14N11 specification.

It is unclear how attributes in the xml namespace that are not  
currently defined will be handled upon canonicalization of document  
subsets [2]. The specification is not clear on this, and should be to  
enhance interoperability.

The XML Security Specifications Maintenance WG discussed this issue  
and noted the following possibilities:

(1) Attributes in the xml namespace that are not explicitly listed in  
c14n 1.1 will not receive any special processing. This means they  
will be treated like any other element attribute and remain only with  
the element they are associated with. Specifically they will not be  
treated as "simple inheritable attributes".

This has the advantage of allowing future use of C14N11 and  
Signatures even in the presence of new attributes in the xml  
namespace. In some cases this might result in non-meaningful  
canonicalized output for document subsets unless a fixup is  
performed. However the suggestion is that the fixup not be defined in  
C14N but rather in a transform defined at the time of the definition  
of the new attribute in the xml namespace. The group noted that  
defining such a transform might be non-trivial.

(2) Attributes in the xml namespace that are not explicitly listed in  
c14n 1.1 will be treated as "simple inheritable attributes" by  
default, resulting in behavior similar to C14N 1.0.

The group noticed that a consistent behavior with C14N1.0 is not a  
requirement since the canonicalization algorithm is explicitly  

This approach has already been shown to be wrong with xml:id and  
xml:base so this is an argument against continuing the approach.  
Moreover it is hard to undo.

(3) Attributes in the xml namespace that are not explicitly listed in  
c14n 1.1 will cause an error and stop processing.

This has the advantage of being clear and deterministic, and more  
secure. However it has the major disadvantage of not enabling  
continued use of older C14N and Sig and requires new deployments of  
new standards. This may not result in timely solutions to needs in  
the future.

I believe the importance of continued functionality of existing  
specifications in light of new development with the possibility of  
minimal harm argues for #1.


Add the following text to C14N11 as a new paragraph at the end of  
section 2.4, Document Subsets [2]:

"Any attribute in the XML namespace that is neither a Simple  
Inheritable Attribute (xml:lang and xml:space as defined above), or  
xml:id or xml:base shall not receive special treatment in the  
processing of Document Subsets. Specifically, no special processing  
shall be performed to provide inheritance when processing a document  

regards, Frederick

Frederick Hirsch

[1] <http://www.w3.org/TR/xml-c14n11/>

[2] <http://www.w3.org/TR/xml-c14n11/#DocSubsets>

Received on Thursday, 3 May 2007 02:02:39 UTC