- From: Frederick Hirsch <w3c@fjhirsch.com>
- Date: Mon, 8 Jun 2015 15:46:39 -0400
- To: Juan Carlos Cruellas <cruellas@ac.upc.edu>
- Cc: Hal Lockhart <hal.lockhart@oracle.com>, public-xmlsec@w3.org
Juan Carlos I think these issues warrant an errata item, so we can consider that. Do you have specific proposed fixes for your second item? However as Scott and Hal point out, it should not be an implementation blocker given that retrievals from the w3c site is not best. regards, Frederick Frederick Hirsch Chair XML Security WG fjhirsch.com @fjhirsch > On Jun 8, 2015, at 1:06 PM, Juan Carlos Cruellas <cruellas@ac.upc.edu> wrote: > > Thanks for this Scott and Hal, > > I see your point...however, I tend to think that there is no point in having a driver file that points to nowhere, and IMHO this should be changed to point to the right place: as it is now it is basically making a wrong statement. > > Also, even if I agree in that security issues would advice that implementers get copies of the XML Schema files and get them from their local store, to put in xmlsig11 the right pointer to the xmlsig, would publicly declare within this XML Schema file where to get that other xml schema...then implementers could store them wherever they want....or do you think that doing that this could bring some security issue for implementers that once downloaded the right xml schema files just make use of these locally stored files? > > Juan Carlos > El 08/06/15 a las 17:52, Hal Lockhart escribió: >> If you really need this capability, the easiest solution would be to ask Admin at W3C to establish the required alias URI. >> >> As Scott has pointed out, the need to retrieve the schema should be rare and not a routine operational process. >> >> Hal >> >>> -----Original Message----- >>> From: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu] >>> Sent: Monday, June 08, 2015 7:40 AM >>> To: public-xmlsec@w3.org >>> Subject: Potential issues in XML Schema files pointed out from XML Sig >>> v1.1? >>> >>> Dear all, >>> >>> When looking at the XML Schema files pointed by XML Sig v1.1 I have >>> found the following: >>> >>> 1. At the so-called "driver" file, at >>> http://www.w3.org/TR/xmldsig-core1/xmldsig1-schema.xsd, I have noticed >>> the following include: >>> >>> <include >>> schemaLocation="http://www.w3.org/TR/2008/REC-xmldsig-core- >>> 20080610/xmldsig-core.xsd"/> >>> >>> Please note that trying to retrieve a file from the URI within >>> schemaLocation attribute results in a file not found error >>> (404)....instead making a retrieve operation on >>> "http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/xmldsig-core- >>> schema.xsd" >>> results in the correct file. >>> >>> >>> >>> >>> 2. At the xml schema file in >>> http://www.w3.org/TR/xmldsig-core1/xmldsig11-schema.xsd, corresponding >>> to the xml schema for types and elements within xmldsig11 namespace, >>> the two first lines are: >>> >>> <schema targetNamespace="http://www.w3.org/2009/xmldsig11#" >>> version="0.1" elementFormDefault="qualified"> <import >>> namespace="http://www.w3.org/2000/09/xmldsig#"/> >>> >>> but the import element does not have the schemaLocation attribute that >>> allows applications to automatically retrieve the xml schema defining >>> types and elements for xmldsig namespace...shouldn't it be such a >>> schemaLocation with a value http://www.w3.org/TR/2008/REC-xmldsig-core- >>> 20080610/xmldsig-core-schema.xsd? >>> >>> >>> Could you please confirm if you also see them as issues that could need >>> to be fixed? and if so, could you please make an estimation on how and >>> when they could be fixed? >>> >>> >>> Best regards >>> >>> Juan Carlos. >>> >>> > >
Received on Monday, 8 June 2015 19:47:09 UTC