RE: ACTION-581: proposal around IDness of attributes from Pratik Datta on 2010-08-30 (public-xmlsec@w3.org from August 2010)

From: Pratik Datta <pratik.datta@oracle.com>
Date: Mon, 30 Aug 2010 10:30:57 -0700 (PDT)
To: Scott Cantor <cantor.2@osu.edu>, public-xmlsec@w3.org
Message-ID: <c3d599f2-44db-49d8-8aa0-305bdae5aee2@default>

I had intended our XPath streaming profile to be reusable, so that other specifications can also use it. E.g. we were planning for this to be shared with WS-Transfer.
So it shouldn't have any dependencies on XML signature. I.e. XML signature 2.0 should depend on XPath profile for XML signature, but not the other way around. 

That is why think dsig2:IDAttributes should not be used by the XPath.

This is what we are publishing for tomorrow
* XPath profile includes the id() function, but says that IDs are only defined by DTDs.
* XML signature 2.0 goes with option 1 - i.e the dsig2:IDAttributes should only have only one ID attribute definition - the one used by the reference

But we can change it after further discussion.

Pratik



-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Thursday, August 26, 2010 7:18 AM
To: Pratik Datta; public-xmlsec@w3.org
Subject: RE: ACTION-581: proposal around IDness of attributes

> Since this element is per reference, should the signer precisely specify
how
> the ID was specified, or give a generic list of ID attribute definitions?

The latter, because of the option to use them in XPath selections. If you
remove that aspect from the XPath subset you're allowing, then I would say
we can switch it to one and optimize the syntax.

> E.g. let us say the first reference  uses xml:Id and the second uses
wsu:ID.
> Does the signer have to put in xml:Id  for the first and wsu:ID front the
> second, or can he put in both for both references? The second option is
> imprecise, but it is easier for the signer, he can just say list out all
the
> Id mechanisms that he normally uses, and not precisely specify which one
he
> is using for a particular reference. However the first option is better
for
> the verifier and that is what I have assumed.

Either is fine, IMHO. I would probably use text like "if the selection URI
or XPath expressions include the use of an ID attribute, the signer SHOULD
identify all such attributes using the dsig2:IDAttributes element".

-- Scott

Received on Monday, 30 August 2010 17:35:02 UTC