Re: <Q> Does a signature XML Document need to be a valid XML document ? from Joseph M. Reagle Jr. on 2001-03-08 (w3c-ietf-xmldsig@w3.org from January to March 2001)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Thu, 08 Mar 2001 14:35:37 -0500
To: "XML DSig" <xmldsig@hotmail.com>
Cc: w3c-ietf-xmldsig@w3.org
Message-Id: <4.3.2.7.2.20010308141400.0205d5b0@rpcp.mit.edu>

At 21:38 3/8/2001 +0530, XML DSig wrote:
>I also looked at the sample signature XML document referenced at
>http://www.w3.org/TR/2000/CR-xmldsig-core-20001031/signature-example-rsa.xml 
>. There ain't no Schema /DTD reference either!

Correct, I expect many signature applications are well-formed XML 
applications. They recognize the namespace URI and know exactly what to do 
from that for signature validation. The processing rules [1] for Signature 
create well-formed XML, as does Canonical XML, without doctypes.

I don't *believe* (though someone might correct me) that anything in the 
specification requires an XML Signature to have its doctype present. We do 
say the signature instance should be a laxly valid according to the schema 
definitions but this is a rather weak requirement and can be enforced 
without schema processing by application code.

>In absence of the reference to the XML Schema / DTD there, it isn't
>a valid XML document! What is the rationale here ?
>Are we saying here that the intelligence of getting hold of the
>XMLDSig Schema resides with the signature application ?

Some namespaces have dereferencing conventions associated with them such 
that when you dereference them you get the right resource. Presently, 
dereferencing the dsig namespace gives you the spec, but I'm working on 
setting it up such that if the client (schema validators) ask for text/xml 
or application/xml, you get the schema. I hope the schema community comes to 
a shared convention on this point.

BTW: In [3], I've created an example that has a doctype declaration as well 
as xsi:schemaLocation that solves this problem if it is your concern.

>Additionally, I note in the case of enveloping signatures, the document
>fragment between the root element is inserted within
>
><disg:Object ID="SomeID" xmlns="" 
>xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>  <rootElement>
>    ...
>  </rootElement>
></dsig:Object>
>
>Here again I have lost information about the schema location!

Why is xmlns="" ? "The default namespace can be set to the empty string. 
This has the same effect, within the scope of the declaration, of there 
being no default namespace." [4] So your <rootElement> isn't even a 
namespace, right? If it had a namespace, it might be dereferenceable, 
otherwise, if this is a concern of the application it could use 
xsi:schemaLocation .

[1] 
http://www.w3.org/Signature/Drafts/xmldsig-core/Overview.html#sec-Processing
>3.1.2.3 Construct the Signature element that includes SignedInfo, Object(s) 
>(if desired, encoding may be different than that used for signing), KeyInfo 
>(if required), and SignatureValue.
[2] http://www.w3.org/TR/2001/PR-xml-c14n-20010119
[3] http://www.w3.org/Signature/Drafts/xmldsig-core/signature-example.xml
[4] http://www.w3.org/TR/REC-xml-names/

__
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Thursday, 8 March 2001 14:37:15 UTC