- From: Joseph Reagle <reagle@w3.org>
- Date: Wed, 12 Sep 2001 12:43:12 -0400
- To: merlin <merlin@baltimore.ie>
- Cc: XML Signature WG <w3c-ietf-xmldsig@w3.org>
On Tuesday 11 September 2001 08:09, you wrote: > But, do we desire a statement in the spec to the effect that if you have > same-document references and validation may introduce default values, > you should be careful to either validate the document before signing, > or else explicitly specify all defaultable values? http://www.w3.org/Signature/Drafts/xmldsig-core/#sec-CoreGeneration $Revision: 1.120 $ on $Date: 20 3.1.2.3 ... Note, if the Signature is enveloped or enveloping, [XML] or [XML-schema] validation of the document might introduce changes that break the signature. Consequently, applications should be careful to consistently process the document or refrain from using external contributions (e.g., defaults and entities). > 2. Implicit parsing of octet resources > Options: > > a) Leave it implementation-specific. > > b) Specify that validated parsing is mandatory. > > c) Specify that well-formed parsing is mandatory. Specify a new > transform for DTD validation, just as we have one for schema > validation. Aside: Internal DTD subsets are always applied, even in > well-formed parsing mode. I suppose we should do (c). I'd suggest the following as RECOMMENDED http://www.w3.org/2000/09/xmldsig#XML-Validate What do others think?
Received on Wednesday, 12 September 2001 12:44:19 UTC