- From: <frederick.hirsch@nokia.com>
- Date: Mon, 19 Sep 2011 20:24:44 +0000
- To: Grosso@jessica.w3.org, Paul <pgrosso@ptc.com>
- Cc: public-xmlsec@w3.org
Dear Grosso, Paul , The XML Security Working Group has reviewed the comments you sent [1] on the Last Call Working Draft [2] of the XML Signature Syntax and Processing Version 2.0 published on 21 Apr 2011. Thank you for having taken the time to review the document and to send us comments! The Working Group's response to your comment is included below, and has been implemented in the new version of the document available at: http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-NamespaceContext. Please review it carefully and let us know by email at public-xmlsec@w3.org if you agree with it or not before 26 September 2011. In case of disagreement, you are requested to provide a specific solution for or a path to a consensus with the Working Group. If such a consensus cannot be achieved, you will be given the opportunity to raise a formal objection which will then be reviewed by the Director during the transition of this document to the next stage in the W3C Recommendation Track. Thanks, For the XML Security Working Group, Thomas Roessler W3C Staff Contact 1. http://www.w3.org/mid/9B2DE9094C827E44988F5ADAA6A2C5DA02EE3A07@HQ-MAIL9.ptcnet.ptc.com 2. http://www.w3.org/TR/2011/WD-xmldsig-core2-20110421/ ===== Your comment on the document as a whole: > 1 XML Signature Syntax and Processing Version 2.0 > > http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/ > > Specification uses term "XML namespace URI" instead of "namespace name" > > Although this probably doesn't create confusion, such informal term > shouldn't appear in W3C spec. Either proper term "namespace name" should > be used (see http://www.w3.org/TR/xml-names/#dt-NSName) or at least "XML > namespace URI" should be put into Appendix A - Definitions and be > properly defined here as a synonym of "namespace name". > Insufficently defined context for XPath evaluation in "10.6.1 > Selection of XML Documents or Fragments" > XPath 1.0 specification defines the following properties for context > a node (the context node) > a pair of non-zero positive integers (the context position and the > context size) > a set of variable bindings > a function library > the set of namespace declarations in scope for the expression > > Only the context node is defined in this specification, other > properties should be defined as well. > > Typo in "11.3 Namespace Context and Portable Signatures" > In addition, the Canonical XML and Canonical XML with Comments > algorithms import all XML namespace attributes (such as xml:lang) from > theā¦ > There shouldn't be xml:lang, but namespace declaration attribute like > xmlns:foo. > > Also using entity references in examples as content of namespace > declarations looks quite confusing. > > "B.7.2 Base64" > Transformation as described assumes that operates on text node -- > otherwise it will always return empty string. I'm not sure whether this > is correct assumption. Omitting operation 1) will fix this problem Working Group Resolution (LC-2488): Details of original XML Security WG response (and corresponding changes) is here: http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0026.html Feedback with continued concern with "XML Namespace Attributes" language (other changes accepted) in section 11.3: http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0029.html (and http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0030.html ) Formal endorsement of XML Core WG: http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0038.html XML Security WG resolution of issue, changing the language: http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0040.html Agreed at XML Security WG teleconference, http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/att-0044/minutes-2011-09-13.html#item04 This change should address the concern by adopting revised text as follows: Original text: In addition, the Canonical XML and Canonical XML with Comments algorithms **import** **all** **XML namespace attributes** (such as xml:lang) from the nearest ancestor in which they are declared to the apex node of canonicalized XML unless they are already declared at that node. This may frustrate the intent of the signer to create a signature in one context which remains valid in another. Revised text: [[ In addition, the Canonical XML and Canonical XML with Comments algorithms define special treatment for attributes in the XML namespace, which can cause them to be part of the canonicalized XML even if they were outside of the document subset. Simple inheritable attributes are inherited from nearest ancestor in which they are declared to the apex node of canonicalized XML unless they are already declared at that node. This may frustrate the intent of the signer to create a signature in one context which remains valid in another. ]] See http://lists.w3.org/Archives/Public/public-xmlsec/2011Sep/0046.html ----
Received on Monday, 19 September 2011 20:24:50 UTC