RE: signature portability / C14N / inherited namespaces from John Boyer on 2001-05-16 (w3c-ietf-xmldsig@w3.org from April to June 2001)

From: John Boyer <JBoyer@PureEdge.com>
Date: Wed, 16 May 2001 11:22:33 -0700
To: "Rob Lugt" <roblugt@elcel.com>, "merlin" <merlin@baltimore.ie>, <reagle@w3.org>
Cc: <w3c-ietf-xmldsig@w3.org>
Message-ID: <7874BFCCD289A645B5CE3935769F0B520C33D4@tigger.PureEdge.com>

Hi Rob,

> <john>
> Such a mechanism already exists: document subsetting.  The namespace
> axis processing only includes those namespace nodes that are both in
the
> axis and in the node-set.  Thus, if the application has a particular
> blob of XML to be signed, it is assumed that the application might
know
> a bit more about the namespaces at play within that blob and hence
could
> construct an Xpath to keep all desired elements and attributes plus
only
> those namespace nodes required.  As a result, the signature could be
> moved to other contexts since unwanted namespace nodes from the new
> context are also not kept. </john>

John, if I understand you correctly, you are saying that the application
can
provide, as the first parameter to the XML processor, a nodeset where
part
of the namespace axis is missing.  Does this not contradict the
Canonical
XML recommendation [1].  I quote from Section 4.6:-

"Note that in document subsets, an element with omissions from its
ancestral
element chain will be rendered to the canonical form with namespace
declarations that may have been made in its omitted ancestors, thus
preserving the meaning of the element."

<john>
Actually, it does not.  

"will be rendered to the canonical form with namespace declarations that
***may*** have been made in its omitted ancestors, thus preserving the
meaning of the element."

The intent of the sentence is only to communicate that when you c14n
(and subsequently sign) an element within a document (or any doc subset)
rather than the whole document, then the doc-subset may contain
namespaces from ancestors even if you've omitted the ancestor elements
themselves.  However, if your XPath expression explicitly omits certain
namespace nodes (possibly indirectly, by only keeping namespace nodes
meeting a specific criterion), then they are omitted. See the Namespace
Axis processing method in the Processing Model (Section 2.3).  A
namespace node is processed if it is in the axis AND in the node-set.
</john>

Regards
Rob Lugt

Received on Wednesday, 16 May 2001 14:24:38 UTC