Re: References in XML Signature PER from Konrad Lanz on 2008-04-30 (public-xmlsec-maintwg@w3.org from April 2008)

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Wed, 30 Apr 2008 12:21:16 +0200
To: Frederick Hirsch <frederick.hirsch@nokia.com>
CC: XMLSec XMLSec <public-xmlsec-maintwg@w3.org>, ext Thomas Roessler <tlr@w3.org>
Message-ID: <4818481C.4090405@iaik.tugraz.at>
Hi Frederick,

a very quick reaction, do not nail me down on something, but I HTH ...

Frederick Hirsch schrieb:
> I  believe updating an  XML 1.0, Second Edition [1] reference to XML  
> 1.0 Fourth Edition [2] in XML Signature, Second Edition PER [3] may  
> be useful and appropriate.
>   
Agree in principle, but ... (see below)
> [...] update of the URI reference from RFC 2732 to RFC 3986.
>   
Should be fine and we do the same here for XMLDSig (second edition),
http://www.w3.org/TR/2008/PER-xmldsig-core-20080326/review.html#ref-URI

We are also using XML (Fourth Edition) already, in c14n11
http://www.w3.org/TR/xml-c14n11/#XML

and btw. [IETF RFC 2396] and [IETF RFC 2732] have not been normative in
XML (second edition)
http://www.w3.org/XML/xml-V10-2e-errata#E16

> [...] Do members of this group, in particular those involved with the XML  
> Core WG, believe it would be appropriate to update the XML 1.0  
> reference in XML Signature, Second Edition to the Fourth Edition of  
> XML, and would doing so be viewed as editorial or a more substantive  
> change?
>   
Well http://www.w3.org/XML/xml-V10-2e-errata contains a set of quite
substantial changes, but just a very few affecting XMLDSig directly.
My anticipation would be that most implementation's underlying XML
libraries would have incorporated those changes anyway already as of
today ...

Having said that, we should review if change
http://www.w3.org/XML/xml-V10-2e-errata#E41 can cause headaches with
canonicalization.

My first reaction would be, that the xml:lang="" undeclaration, would
work just as a redeclaration with the empty string does, and should not
immediately cause head headaches. Nevertheless there is a different
treatment to namespace undeclarations xmlns="".

Eg.:
<foo xmlns="" xml:lang="">
  <bar/>
</foo>

canonicalizing bar, would return in c14n and c14n11 <bar xml:lang=""/>
instead of <bar/> , which is okay, and there is also not a lot we could
do about this having deployed c14n and c14n11.

Nevertheless, in the spirit of removing superfluous declarations
http://www.w3.org/TR/xml-c14n11/#SuperfluousNSDecl
C14n V-next should have an ACTION to harmonize this treatment.

Btw:
What about those References:
http://www.w3.org/TR/xml-c14n#XML
And maybe also ...
http://www.w3.org/2007/xmlsec/Drafts/xmlenc-decrypt/#ref-XML

What about XMLEnc --> Next XML Security WG?

> Would such a change have an impact on implementors?
>   
I do not think so, as the changes mostly affect the parser level ...

> It may be that XML Signature is mostly orthogonal to those changes,  
> in particular since the XML Fourth edition does not represent a new  
> version of XML,  and thus this could be treated as editorial
>   
Yes, I agree .
> (3) A similar issue may also apply to Namespaces  in XML 1.0 [6]  
> which have been updated to Namespaces  in XML 1.0, Second Edition  
> [7], where the errata includes primarily  the deprecation of relative  
> URIs in namespace declarations [8].
There are legacy implications with respect to
http://www.w3.org/TR/xml-c14n and http://www.w3.org/TR/xml-c14n11 . A
Canonicalization V-next should either reassess it's stand to being able
to treat relative URIs in namespace declarations, as we beleive c14n11
can do or respect the deprecation, by issuing an error
>  What are thoughts on updating  
> this reference, treating it as editorial?
>   
Interesting is here the combination of
http://www.w3.org/XML/xml-V10-4e-errata#E10 with Namespace
undeclarations and the fact that the XPath data Model is not defined for
XML 1.1 .

It is a littlebit messy around this area ;-) and I need more time to
think about this and comments from others that would also review it are
very welcome.

> It seems these changes are editorial in nature. Do you have insights  
> or views on this?
>   
I'm running out of time today, but I'll think about it ...
> I'm not sure I understand that the unicode reference needs updating,  
> any thoughts on that reference?
>   
same (no time) ...
> Thanks
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
> [1] http://www.w3.org/TR/2000/REC-xml-20001006
>
> [2] http://www.w3.org/TR/2006/REC-xml-20060816/
>
> [3] http://www.w3.org/TR/2008/PER-xmldsig-core-20080326/
>
> [4] http://www.w3.org/TR/2006/PER-xml-20060614/
>
> [5] http://www.w3.org/TR/2004/REC-xml-20040204/
>
> [6] http://www.w3.org/TR/1999/REC-xml-names-19990114/
>
> [7] http://www.w3.org/TR/REC-xml-names/
>
> [8] http://www.w3.org/TR/REC-xml-names/#errata10
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
> On Apr 29, 2008, at 9:29 AM, ext Thomas Roessler wrote:
>   
>> Hello,
>>
>> we've received one comment about XML Signature PER which requests a
>> review of the references, specifically XML 2nd Edition and Unicode.
>>
>> Forwarded with permission.
>>
>> Regards,
>> -- 
>> Thomas Roessler, W3C  <tlr@w3.org>  +33-4-89063488
>>
>>
>>
>>
>>
>>
>> On 2008-04-06 13:10:01 +0000, WBS Mailer on behalf of innovimax 
>> +w3c@gmail.com wrote:
>>     
>>> From: "WBS Mailer on behalf of innovimax+w3c@gmail.com"
>>> 	<webmaster@w3.org>
>>> To: innovimax+w3c@gmail.com,
>>> 	team-security-activity-proposal-review@w3.org
>>> Date: Sun, 06 Apr 2008 13:10:01 +0000
>>> Subject: [wbs] response to 'Call for Review: XML Signature Syntax and
>>> 	Processing  (Second Edition)?? is W3C Proposed Recommendation'
>>> Reply-To: innovimax+w3c@gmail.com
>>> List-Id: <team-security-activity-proposal-review.w3.org>
>>> X-Spam-Level:
>>> Archived-At:
>>> 	<http://www.w3.org/mid/wbs-f743d3cf28a5f52bede4713530dde6b5@cgi.w3.o
>>> 	rg>
>>> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.6
>>>
>>>
>>>
>>> The following answers have been successfully submitted to 'Call  
>>> for Review:
>>> XML Signature Syntax and Processing (Second Edition)
>>>  is W3C Proposed Recommendation' (Advisory Committee) for  
>>> INNOVIMAX by
>>> Mohamed ZERGAOUI.
>>>
>>> Regarding the "XML Signature Syntax and Processing (Second Edition)"
>>> specification, the reviewer  suggests changes, and only supports
>>> publication as a Recommendation if the changes are adopted.
>>>
>>>
>>> Additional comments about the specification:
>>>    The references are almost all out of synch and may introduce  
>>> burden
>>> because of misinterpretation, mainly due to references to old Unicode
>>> publication directly and to XML second edition.
>>>
>>> I ask that all reference should be carefully weighted to not  
>>> introduce
>>> more problems than solutions
>>>
>>>
>>> The reviewer's organization:
>>>    - produces products addressed by this specification
>>>
>>> Answers to this questionnaire can be set and changed at
>>> http://www.w3.org/2002/09/wbs/33280/xmlsigper2008/ until 2008-04-30.
>>>
>>>  Regards,
>>>
>>>  The Automatic WBS Mailer
>>>
>>>
>>>       
>>     
>
>
>   


-- 
Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520
https://www.iaik.tugraz.at/aboutus/people/lanz
http://jce.iaik.tugraz.at

Certificate chain (including the EuroPKI root certificate):
https://europki.iaik.at/ca/europki-at/cert_download.htm
Received on Wednesday, 30 April 2008 10:22:21 UTC