Section 7.1 Re: Followup on I18N Last Call comments and disposition from Donald E. Eastlake 3rd on 2000-08-11 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Fri, 11 Aug 2000 12:36:42 -0400
To: w3c-ietf-xmldsig@w3.org
Message-Id: <200008111636.MAA06322@torque.pothole.com>
I guess I had remembered my message below as having been a bit more
specific than it was.  So, here is specific wording for the second
part of Section 7.1.

"Note that items (2), (4), and (5C) depend on specific schema, DTD, or
similar declarations. In the general case, such declarations will not
be available to or used by the signature verifier, particularly for
non-signature XML, which may be in othr namespaces, in the same
document as the signature. Thus, a signature will only be verifiable
by such a non-validating signature implementations if the following
syntax contraints are observed when generating any signed material
including the SignedInfo element:

          1. Attributes having default values are explicitly present.
          2. All entity references (except "amp", "lt", "gt", "apos",
"quot", and other character entities not representable in the encoding
chosen) are expanded and non-representable characters are replaced by
their numeric character reference.
          3. Attribute value white space is normalized."

Thanks,
Donald

------- Forwarded Message -------

Message-Id:  <200007182143.RAA07750@torque.pothole.com>
To:  "Joseph M. Reagle Jr." <reagle@w3.org>
cc:  "Martin J. Duerst" <duerst@w3.org>, <lde008@dma.isg.mot.com>,
            w3c-ietf-xmldsig@w3.org
In-reply-to:  Your message of "Wed, 12 Jul 2000 18:02:32 EDT."
	                  <3.0.5.32.20000712180232.00ab5100@localhost> 
Date:  Tue, 18 Jul 2000 17:43:33 -0400
From:  "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Subject:  Re: Followup on I18N Last Call comments and disposition 

From:  "Joseph M. Reagle Jr." <reagle@w3.org>
Message-Id:  <3.0.5.32.20000712180232.00ab5100@localhost>
Date:  Wed, 12 Jul 2000 18:02:32 -0400
To:  "Martin J. Duerst" <duerst@w3.org>,
            "Donald Eastlake" <dee3@torque.pothole.com>, <lde008@dma.isg.mot.com>
Cc:  w3c-ietf-xmldsig@w3.org
In-Reply-To:  <3.0.5.32.20000627154454.00a42100@localhost>
References:  <4.2.0.58.J.20000626171723.009f63c0@sh.w3.mag.keio.ac.jp>

>Don, on the following point, could you provide some clarity?
>
>Does the text [1], "Thus, to interoperate between different XML
>implementations, the following syntax constraints MUST be observed" mean
>ONLY when a DTD/schema is not present, or any XML content being signed can
>never have attribute values? (I assume not).

I meant something like "Signatures which do not follow the three
syntax constrains below will generally fail to interoperate if any XML
implementation that ever tries to verify them does not have the
required DTD/schmea(s) present."  Note that it is not just the dsig
DTD/schema but for anything within the SignedInfo and other stuff in
the same document referenced by any References.  In generaly, it seems
like mandating these syntax contraints would be a good idea.

>And with respect to the text, "2. all entity references (except "amp", "lt",
>"gt", "apos", "quot", and other character entities not representable in the
>encoding chosen) be expanded" How would you respond to Martin's comment? I
>think the point was to say these things don't vary as they are defined by
>the doctype and convention, so that's why we don't mind if people use them
>in their non-expanded form: &amp; = &#38;

You have to be able to use most of the enumerated entities to properly
express things without tripping up the XML parsing and they are
pre-defined by the XML 1.0 specificaztion.  &amp; = &
"Expansion" is an odd term in this case as they change into one
character so they get shorter.

>[1] http://www.w3.org/TR/2000/WD-xmldsig-core-20000711/#sec-XML-1
>
>At 15:44 6/27/00 -0400, Joseph M. Reagle Jr. wrote:
> > >7.1, second list, point 2: 'except... and other character entities
> > >not representable...': This may be wrongly understood to mean that
> > >e.g. &eacute; in a HTML document shouldn't be expanded if
> > >the encoding is US-ASCII. This is of course wrong, &eacute;
> > >should in this case be changed to the appropriate numeric
> > >character reference (and the spec may have to say whether
> > >these should be decimal or hex,...).

I guess that's right, ie, characters not representable should be
changed into a numeric character reference.  But I can't see how it
matters whether it is decimal or hex.  Any conformant XML 1.0 reader
will translate the numeric character references into the appropriate
character.  Things which depend on the surface input character string
and assume no XML processing are completely screwed as far as
interoperability anyway.

>_________________________________________________________
>Joseph Reagle Jr.   
>W3C Policy Analyst                mailto:reagle@w3.org
>IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Donald


------- End of Forwarded Message
Received on Friday, 11 August 2000 12:34:05 UTC