- From: Meiko Jensen <Meiko.Jensen@rub.de>
- Date: 19 Apr 2010 20:11:25 +0200
- To: "Scott Cantor" <cantor.2@osu.edu>
- Cc: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Hi Scott, see inline Scott Cantor schrieb: >> Section 6: Qnames in content. Searching all text nodes for potential use >> of prefixes is a horribly bad idea. Besides the performance overhead >> you'll get weird matches, resulting in different namespace declarations >> being covered within structurally identical XML documents. Major source >> of confusion and unexplainable signature invalidations. >> > > I don't propose searching all text nodes, but I do believe enumerating the > qualified names of nodes that are QName-valued to be useful and frankly > necessary. > OK, this makes way more sense to me. However, I wonder what this approach can achieve more than the inclusiveNamespacePrefixList that is already defined. If one uses a Qname in a text node, one can either mark that node as "Qname-relevant content", hence have it parsed for prefixes and embed them, or one can put the prefixes used in the Qnames on the inclusiveNamespaces list, hence having them embedded despite any "visibly utilized". I'm not sure which approach is better or if one includes the other already. > On a separate but similar topic, I also think in the absence of schema-aware > c14n that we have an obligation to allow the specification of ID-valued > attributes to ensure better and safer interop of ID-based references. It > doesn't by itself address wrapping attacks but it's an improvement on > guessing ID-ness. > I'm not sure I understood your point. I have no objections with that we have to support schema-unaware (or DTD-unaware) applications of XML Signature, however, does this imply that we are not allowed to propose solutions that do well with schema but are not applicable / not relevant without, as long as we propose general "fallback" solutions for the schema-inaware cases as well? > (To anticipate a response, yes, in an ideal world we'd just use schemas and > both issues would be addressed. But in this world, people often don't use > them at runtime, nor do they use DTDs.) > I plead myself guilty of having done this several times as well. Please don't get me wrong, I don't say abandon the old, but I see some potential for optimization (and for vulnerabilities as well) especially regarding the broad use cases of Web Services. Maybe I'm biased in this. best regards Meiko
Received on Monday, 19 April 2010 18:11:56 UTC