- From: Scott Cantor <cantor.2@osu.edu>
- Date: Thu, 2 Sep 2010 10:10:55 -0400
- To: "'Meiko Jensen'" <Meiko.Jensen@ruhr-uni-bochum.de>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
> The good news: but only if the developer did not use the new QNameAware > parameter properly. I'm not sure that's true... > The details: > The Namespace Injection technique worked by exploiting the fact that > namespace prefixes used in XPath expressions were not "visibly utilized" > in the sense of Exclusive Canonicalization, hence their namespace > declaration was not protected with the digest over "SignedInfo". > > In the new specs, the proper use of the QNameAware parameter leads to > explicit declaration of exactly those mappings. I don't think so. XPath expressions are not QNames. They contain prefixes, or perhaps even something that is basically a QName, but the QNameAware parameter is *not* currently used for describing content that can contain a QName, but only for describing content that is itself solely a QName. In other words, the burden was not meant to be on the c14n layer to go parsing into content to find them. Dealing with XPath expressions is a separate (and more complex) problem. If we were to try to extend the option to cover them, I think we would have to be able to describe how exactly the c14n layer was supposed to process the expression and find the prefixes. -- Scott
Received on Thursday, 2 September 2010 14:11:31 UTC