Re: Tentative signature over C14N examples from merlin on 2000-10-10 (w3c-ietf-xmldsig@w3.org from October to December 2000)

From: merlin <merlin@baltimore.ie>
Date: Tue, 10 Oct 2000 23:06:44 +0100
To: "John Boyer" <jboyer@pureedge.com>
Cc: "XML DSig" <w3c-ietf-xmldsig@w3.org>
Message-Id: <E13j7Xo-00045v-00@yog-sothoth>
Hi,

The C14N of e3 should ?not? have xmlns:w3c.

Also, I do not believe that the XPath tests for (self|parent)::e(1|2)
are correct. The default namespace for those nodes is non-null, and I
think that 2.3 of REC-xpath suggests that if you want to capture this
in an XPath you must use a namespace prefix in scope for the expression.
Hence ietf:e(1|2) in my earlier version of the XPath. Which was...

  <Transform ...><XPath xmlns:ietf="http://www.ietf.org">...ietf:e1...

But I'm often wrong about namespaces, so I'm prepared again.

I think that adding a regular attribute to e1 would be potentially
useful for this example (i.e., <e1 foo="bar">), just so the second
clause of your XPath can capture more than just namespace nodes
(which are probably treated differently to regular attributes).

Also, an example of C14N on the e3 element below would be interesting:

<e1 xmlns="http://foo" xmlns:bar="http://baz">
  <e2 xmlns="" xmlns:bar="">
    <e3 ID="E3" />
  </e2>
</e1>

This captures that empty xmlns namespaces are not really inherited,
but empty xmlns:* are. At least, I think they are.

Merlin

r/jboyer@PureEdge.com/2000.10.10/11:31:44
>Hi Merlin,
>
>I've changed example 3.7 as given below, and I am hoping you can provide
>feedback ASAP on whether you concur with the new version:
>
>Input:
>
><!DOCTYPE doc [
><!ATTLIST e2 xml:space (default|preserve) 'preserve'>
><!ATTLIST e3 id ID #IMPLIED>
>]>
><doc xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org">
>   <e1>
>      <e2 xmlns="">
>         <e3 id="E3"/>
>      </e2>
>   </e1>
></doc>
>
>XPath:
>
>(//. | //@* | //namespace::*)
>[
>   self::e1 or (parent::e1 and not(self::text() or self::e2))
>   or
>   count(id("E3")|ancestor-or-self::node()) =
>count(ancestor-or-self::node())
>]
>
>Canonical Form:
>
><e1 xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"><e3 xmlns=""
>xmlns:w3c="http://www.w3.org" id="E3" xml:space="preserve"></e3></e1>
>
>============================
>Thanks,
>John Boyer
>Development Team Leader,
>Distributed Processing and XML
>PureEdge Solutions Inc.
>Creating Binding E-Commerce
>v: 250-479-8334, ext. 143  f: 250-479-3772
>1-888-517-2675   http://www.PureEdge.com <http://www.pureedge.com/>
>
>
>
>-----Original Message-----
>From: merlin@baltimore.ie [mailto:merlin@baltimore.ie]
>Sent: Saturday, October 07, 2000 8:52 AM
>To: John Boyer
>Cc: xmldsig-interop@pothole.com; XML DSig
>Subject: Re: Tentative signature over C14N examples
>
>
>Hi,
>
>Attached is a gzipped tarchive containing a signature over the
>seven C14N examples from the latest C14N draft, hopefully
>conforming to the latest signature draft. Included is also
>the raw C14N output. However, there is still one difference
>between my signature and the "correct" output so this should
>not yet be considered a valid test of canonicalization.
>
>r/jboyer@PureEdge.com/2000.10.06/11:52:54
>
>><john>
>>I also notice that your example 4 did not strip out the leading and
>trailing
>>whitespace for that attribute's value.  The example in c14n-20000907 is
>>wrong for not doing that.
>>By saying that your non-validating parser treats it no differently, are you
>>saying that your non-validating processor does not realize that the
>>attribute is identified as an ID attribute?
>>If so, please see Section 5.1 of the XML specification regarding
>conformance
>>of non-validating processors.
>></john>
>
>All becomes clear. I have a patch for the Apache XML parser,
>I'll clean it up and submit it to their dev list.
>
>><merlin>
>>Neither do I concur with the spec for example 7: I do not see
>>a justification for xmlns="".
>></merlin>
>>
>><john>
>>The justification is that e3 is not namespace qualified in the input, so it
>>should not be namespace qualified in the output.  The problem is that,
>>unfortunately, the XPath data model represents an empty default namespace
>>with the absence of a node, not with the presence of a default namespace
>>node having an empty value.  Thus, w.r.t. e3, we cannot tell the difference
>>between <e2 xmlns=""><e3/></e2> versus <e2><e3 xmlns=""/></e2>.  All we
>know
>>is that e3 was not be namespace qualified on input, so we preserve this
>>information on output.
>></john>
>
>>From the spec, wrt element nodes, their namespace axis and emission of
>xmlns="" iff:
>
>1. Yhe element E that owns the axis is in the node-set
>
>Here, element E is in the node set.
>
>2. Element E has a parent element
>
>Here, element E has a parent element.
>
>3. The nearest ancestor element of E in the node-set has a default namespace
>   node in the node-set (default namespace nodes always have non-empty
>values
>   in XPath)
>
>Here, element E has no ancestor element in the node set.
>
>Thus I do not see why this case qualifies for xmlns="".
>
>Incidentally, it would appear to me that condition 3 implies condition
>2 and thus condition 2 is redundant?
>
>><merlin>
>>I tweaked the XPath on example 7 to suit signature processing.
>></merlin>
>>
>><john>
>>Perhaps you could provide the full XPath transform that you've used.  I'm
>>pretty sure your tweak is fine, but I'd like to see the declaration of the
>>ieft prefix.  BTW, is there some reason why you didn't use the
>subexpression
>>inside the square brackets of example 7?
>></john>
>
>Yes, I was having ID problems. I've fixed them and attached a signature
>using the standard expression.
>
>I now only differ on example 7, as explained above.
>
>Merlin
>
Received on Tuesday, 10 October 2000 18:07:45 UTC