- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Wed, 2 May 2007 22:02:31 -0400
- To: XMLSec <public-xmlsec-maintwg@w3.org>
- Cc: Hirsch Frederick <frederick.hirsch@nokia.com>
Issue: C14N11 [1] does not define what happens with attributes in the xml namespace not mentioned in the C14N11 specification. Rationale: It is unclear how attributes in the xml namespace that are not currently defined will be handled upon canonicalization of document subsets [2]. The specification is not clear on this, and should be to enhance interoperability. The XML Security Specifications Maintenance WG discussed this issue and noted the following possibilities: (1) Attributes in the xml namespace that are not explicitly listed in c14n 1.1 will not receive any special processing. This means they will be treated like any other element attribute and remain only with the element they are associated with. Specifically they will not be treated as "simple inheritable attributes". This has the advantage of allowing future use of C14N11 and Signatures even in the presence of new attributes in the xml namespace. In some cases this might result in non-meaningful canonicalized output for document subsets unless a fixup is performed. However the suggestion is that the fixup not be defined in C14N but rather in a transform defined at the time of the definition of the new attribute in the xml namespace. The group noted that defining such a transform might be non-trivial. (2) Attributes in the xml namespace that are not explicitly listed in c14n 1.1 will be treated as "simple inheritable attributes" by default, resulting in behavior similar to C14N 1.0. The group noticed that a consistent behavior with C14N1.0 is not a requirement since the canonicalization algorithm is explicitly specified. This approach has already been shown to be wrong with xml:id and xml:base so this is an argument against continuing the approach. Moreover it is hard to undo. (3) Attributes in the xml namespace that are not explicitly listed in c14n 1.1 will cause an error and stop processing. This has the advantage of being clear and deterministic, and more secure. However it has the major disadvantage of not enabling continued use of older C14N and Sig and requires new deployments of new standards. This may not result in timely solutions to needs in the future. I believe the importance of continued functionality of existing specifications in light of new development with the possibility of minimal harm argues for #1. Proposal: Add the following text to C14N11 as a new paragraph at the end of section 2.4, Document Subsets [2]: "Any attribute in the XML namespace that is neither a Simple Inheritable Attribute (xml:lang and xml:space as defined above), or xml:id or xml:base shall not receive special treatment in the processing of Document Subsets. Specifically, no special processing shall be performed to provide inheritance when processing a document subset." regards, Frederick Frederick Hirsch Nokia [1] <http://www.w3.org/TR/xml-c14n11/> [2] <http://www.w3.org/TR/xml-c14n11/#DocSubsets>
Received on Thursday, 3 May 2007 02:02:39 UTC