RE: Plenary from John Boyer on 2000-09-12 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: John Boyer <jboyer@PureEdge.com>
Date: Tue, 12 Sep 2000 09:32:02 -0700
To: "Martin J. Duerst" <duerst@w3.org>, "Jonathan Marsh" <jmarsh@microsoft.com>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <BFEDKCINEPLBDLODCODKKEAJCFAA.jboyer@PureEdge.com>

Hi Martin,

I am personally OK with this approach, but I wonder how many existing
documents it will rule out signing.

For example, unless I'm misreading rfc2396, <e xmlns="string"/> is now
deprecated.  It seems ludicrous that I cannot sign well-formed document.  It
is as if it is not well-formed, which contradicts the plenary's own
intentions.

I think instead that we should focus on the intent of the plenary as
manifested in Answer 4 of [1], which indicates that we should be calling
these things namespace *names*, not namespace URIs.  We want conformant
software to retain the original namespace name; we don't care about URIs.

[1] http://www.w3.org/2000/09/xppa#47802880

Thanks,
John Boyer
Development Team Leader,
Distributed Processing and XML
PureEdge Solutions Inc.
Creating Binding E-Commerce
v: 250-479-8334, ext. 143  f: 250-479-3772
1-888-517-2675   http://www.PureEdge.com <http://www.pureedge.com/>

-----Original Message-----
From: Martin J. Duerst [mailto:duerst@w3.org]
Sent: Monday, September 11, 2000 7:20 PM
To: John Boyer; Jonathan Marsh; w3c-ietf-xmldsig@w3.org
Cc: w3c-xsl-wg@w3.org
Subject: RE: C14N: Non-absolutized URIs

At 00/09/11 17:03 -0700, John Boyer wrote:
><jonathan>
>No, the fact that XPath permits application-dependent behavior means only
>that the plenary has forced it (along with all other groups) to accept
>application-depedent behavior.
></jonathan>
>
><john>Right, and as an application of XPath, we are choosing the behavior
>that is most appropriate to our application.  No matter how much the
plenary
>wants to force things on dsig, there is nothing they can do to change the
>behavior of a sha-1 hash.  We MUST have a single behavior, therefore we
MUST
></john>

No, if you follow the recommendation of the plenary (which I think you
should
do), then the right way is to say that relative URI's behaviour is
undefined,
and that they therefore should not be used for signatures. C14N applications
may/should/must issue a warning when they find one of these when the are
used to prepare for signing.

Regards,   Martin.

Received on Tuesday, 12 September 2000 12:32:06 UTC