Re: RNG schema plans from Frederick Hirsch on 2010-01-20 (public-xmlsec@w3.org from January 2010)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Wed, 20 Jan 2010 10:46:43 -0500
To: ext Scott Cantor <cantor.2@osu.edu>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, "'MURATA Makoto (FAMILY Given)'" <eb2m-mrt@asahi-net.or.jp>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-Id: <B99491C3-5256-442D-90FA-87930ECE1993@nokia.com>

One item ds:Object is expected to contain is SignatureProperties and  
when it does, validating the schema for SignatureProperties can be  
helpful as far as possible.

Is it the case that the RNG schemas are good or is there an issue with  
the schemas as written...

regards, Frederick

Frederick Hirsch
Nokia



On Jan 20, 2010, at 10:41 AM, ext Scott Cantor wrote:

> MURATA Makoto (FAMILY Given) wrote on 2010-01-20:
>>>> Again, are preceding and following foreign elements disallowed?  
>>>> Apart
>>>> from the RSA-OAEP algorithm, what is allowed?  RSA Version 1.5  
>>>> only?
>>>
>>> Algorithms are extensible. You can determine what the content is  
>>> for the
>>> known algorithms, but not the unknown ones.
>>
>> But what is the known algorithms?  RSA-OAEP and  RSA Version 1.5  
>> only?
>> When permissible contents are cleary defined, I would like to capture
>> them in the RELAX NG schema.
>
> The algorithms vary by context, I believe, not specifically in terms  
> of that
> XML element, which is generic and used for different things in the  
> spec.
> Those two are for key transport, for example, vs. others that are key
> wrapping, others for actual encryption, etc.
>
>> Actually, in RELAX NG, if you want to validate SignatureValue (rather
>> than skipping it) in Object for example, you have to explicitly
>> reference  the pattern for SignatureValue.
>
> Object doesn't normally contain a SignatureValue, it carries  
> something you'd
> be signing.
>
>>> And every other element in the world.
>>
>> Such foreign elements are allowed by
>>
>>  ds_ObjectChild |= anyForeignElement
>>
>> in allowAnyForeign.rnc.  So, you can impose tight restrictions by  
>> using
>> xmldsig-core-schema.rnc only.
>
> Nobody would be likely to do that. Object is a wrapper for arbitrary  
> XML,
> not specifically for XML from this schema. That would be far less  
> common, I
> would think. If you're saying there's no equivalent of ##any, then I  
> guess
> you're stuck enumerating everything in the schema.
>
> -- Scott
>
>
>

Received on Wednesday, 20 January 2010 15:48:39 UTC