- From: Joseph Reagle <reagle@w3.org>
- Date: Thu, 6 Sep 2001 09:31:22 -0400
- To: XML Signature WG <w3c-ietf-xmldsig@w3.org>
The following question asks what the parsing method is for XML1.0: well-formed or validating? I've presumed this is up to the applications, and most applications, if they want validating, will provide information necessary for that validation (e.g., a doctype). Should we provide a transform that makes it clear that one application requires validated parsing for signature validity (and consequently default attributes might be present where they wouldn't have otherwise), make validating parsing the default, or is the present state sufficient? [1] 4.3.3.2 The Reference Processing Model > > > > "If the data object is an octet stream and the next transform > > requires a node-set, the signature application MUST attempt > > to parse the octets yielding the required node-set." > > > > It is not stated whether the octets should be parsed in validating or > > well-formed mode. This ambiguity may lead to interoperability problems > > (default attributes). Please specify in which manner the octets should > > be parsed. Well-formed mode would appear to be appropriate, as DTD > > information will often be unavailable and schema validation is > > available as an explicit transform. > > > > It might also be appropriate to add a security warning about variance > > in the validation of a document between signing and verification. For > > example, if a self-signed document is generated without validation and > > verified with validation, then default values introduced by the > > schema/DTD may result in a signature verification error.
Received on Thursday, 6 September 2001 09:31:23 UTC