- From: <Frederick.Hirsch@nokia.com>
- Date: Thu, 8 Nov 2012 20:49:33 +0000
- To: <cantor.2@osu.edu>
- CC: <Frederick.Hirsch@nokia.com>, <sean.mullan@oracle.com>, <edsimon@xmlsec.com>, <gkholman@cranesoftwrights.com>, <public-xmlsec@w3.org>
- Message-ID: <1CB2E0B458B211478C85E11A404A2B2701808D35@008-AM1MPN1-035.mgdnok.nokia.com>
This issue was noted in 2002, but no namespace was added: http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002OctDec/0033.html It looks to me that the intent is to augment the XPath library with the here() function without a namespace prefix - possibly the original thinking was that it would be added to the standard XPath library but there is no documentation of that thinking (perhaps Ed or Brian remember). The current text in section 6.6.3 says in the bullet list: * A library of functions equal to the function set defined in [XPATH<http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/#bib-XPATH>] a function named here<http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/#function-here>. This corresponds to the idea that the library is augmented with here() and thus it should not be prefixed, but treated by the implementation as if it were part of XPath. Thus an implementation of signature should treat an XPath implementation as having here() as part of the library. This also avoids the potential of namespace wrapping attacks noted by Meiko, http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0000.html Thus could we argue no change is needed apart from the editorial fix to the bullet to read as follows: * A library of functions equal to the function set defined in [XPATH<http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/#bib-XPATH>] augmented with a function named here<http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/#function-here> to be treated as if part of the library (and not namespace prefixed). Regardless of how an implementation is built is will need to augment the XPath library with here() to support XML Signature. Thoughts? regards, Frederick Frederick Hirsch Nokia On Nov 5, 2012, at 9:08 AM, ext Cantor, Scott wrote: On 11/5/12 6:19 AM, "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com> wrote: Does anyone have any concrete suggestions on how to resolve the issue, unless we maintain the original resolution which was accepted at the time? I guess there are two aspects: - Can existing usage of unqualified here() actually be processed, or was that just hand-waved around? Or is it just not used and nobody cares? - For newer applications, you could define a qualified here(). -- Scott
Received on Thursday, 8 November 2012 20:50:21 UTC