- From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
- Date: 3 Sep 2010 10:41:39 +0200
- To: "Scott Cantor" <cantor.2@osu.edu>
- Cc: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
- Message-ID: <4C80B4C3.30507@ruhr-uni-bochum.de>
Scott, all, thanks for enlightening me. In that case, we're still not having any progress in terms of fending namespace injection. I've reviewed the last communications we had on this, and I ended up with the impression that we had a tendency towards approaches #3 + #4 of my proposal in http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0027.html , however, I found no explicit resolution on this. Maybe we still have to make a decision here? Either way, seems like my Action-538 is still open :( best regards Meiko Scott Cantor schrieb: >> as far as I understood the QNameAware parameter is set "manually" by the >> signature generator. Hence, he can choose this parameter to contain all >> > the > >> prefixed elements and attributes he used in the selection XPaths. Thus, >> there is no automated logic involved on how to determine the >> > QNames/prefixes > >> from an XPath; this is up to the developer. What did I get wrong here? >> > > You're making the same mistake Frederick did at one point (and we'll need to > add some text so people don't confuse things). The parameter is not > identifying what actual prefixes or names are *in* the content, it's > identifying the attributes and elements that themselves contain the QNames > content. It's up a level from what you're talking about. > > Like the ID proposal, it's about injecting signer awareness of the content > model rather than of the contents of the document. The former can (in some > applications) be known/invariant, or configured by a deployer. The latter is > transaction-specific. > > As an example: > > xsi:type="foo:Bar" > > The QNameAware reference is to xsi:type, not to foo:Bar. Anything you put > into xsi:type can then be dealt with at runtime, simply because the signer > knows that xsi:type always contains a QName. Doesn't matter what any > particular QName happened to be. > > -- Scott > > > > -- Dipl.-Inf. Meiko Jensen Chair for Network and Data Security Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany _____________________________ Universitätsstr. 150, Geb. ID 2/411 D-44801 Bochum, Germany Phone: +49 (0) 234 / 32-26796 Telefax: +49 (0) 234 / 32-14347 http:// www.nds.rub.de
Received on Friday, 3 September 2010 08:42:08 UTC