RE: XPath transform from Ed Simon on 2000-01-17 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: Ed Simon <ed.simon@entrust.com>
Date: Mon, 17 Jan 2000 10:17:58 -0500
To: w3c-ietf-xmldsig@w3.org
Message-ID: <01E1D01C12D7D211AFC70090273D20B101C4A9CE@sothmxs06.entrust.com>

Actually, I've been doing some work looking at how XSLT/XPath-aware
processors like LotusXSL can be used to ease implementation of the
XML Signature spec.  (Kent saw much of this work last week when we
were working on the example.)  I hope to present on this topic at 
the  face-to-face.

Regards, Ed
------------------------------------------------------------------------
--------------
Ed Simon
Software Engineer, Entrust Technologies
email:  ed.simon@entrust.com
ph: (613) 247-2583
------------------------------------------------------------------------
--------------
Register now for Entrust SecureSummit 2000
http://www.securesummit.com
May 1-4, 2000, Hyatt Regency at Reunion, Dallas, TX

-----Original Message-----
From: TAMURA Kent [mailto:kent@trl.ibm.co.jp]
Sent: Monday, January 17, 2000 3:38 AM
To: w3c-ietf-xmldsig@w3.org
Subject: Re: XPath transform

In message "RE: XPath transform"
    on 00/01/14, "John Boyer" <jboyer@uwi.com> writes:
> For your part B, XPath says that attribute order is application dependent.
> Well, the DSig Xpath transform is an application of Xpath, and the defined
> order is c14n order.  An application that conforms to dsig MUST conform to
> dsig's usage of xpath.

If I implement a signer and a verifier for the XML-Signature, of
course I use an existing XPath implementatoin in LotusXSL or XT.
It is impossible to sort the result node-set evaluated by these
XPath implementation in the c14n order because the node-set can
contain attributes from more than one element and application
can not know a parent element of an attribute node in DOM Level 1.

I think modifying an existing generic XPath implementation as
ordering in the c14n makes no sense.

I found one more problem.
5.6.3 XPath Filtering:
> If the result of the XPath expression is a node-set, then the
> output of the transform is a string containing the text
> rendering of the nodes in the node-set. The nodes are selected
> for rendering based on the document order (as defined in
> [XPath]) of the canonicalized input resource. The text
> rendering is performed in accordance with [XML-C14N].

How to render a node-set that consists of only attributes?  The
c14n does not define the way to render attributes out of an
element.

I think the XML-Signature specification should forbid XPath
expressions such that its result node-set consists of only
attributes.
If the problems I wrote were solved, the specificatoin would be
very hard to implement and to be understood.

-- 
TAMURA Kent @ Tokyo Research Laboratory, IBM

Received on Monday, 17 January 2000 10:18:56 UTC