Re: Question for Implementors (Was: Schema Validation Transform) from Joseph Reagle on 2001-09-19 (w3c-ietf-xmldsig@w3.org from July to September 2001)

From: Joseph Reagle <reagle@w3.org>
Date: Wed, 19 Sep 2001 17:21:39 -0400
To: "Gregor Karlinger" <gregor.karlinger@iaik.at>
Cc: "XMLSigWG" <w3c-ietf-xmldsig@w3.org>, "Eastlake" <dee3@torque.pothole.com>
Message-Id: <20010919212140.2C46F8762D@policy.w3.org>

[This email responds to the particulars, the next one asks the more general 
question. Resulting document:
  http://www.w3.org/Signature/Drafts/xmldsig-core/ 
  $Revision: 1.127 $ on $Date: 2001/09/19 21:18:03 $
]

On Tuesday 18 September 2001 05:33, Gregor Karlinger wrote:
> BTW: Reading sections 6.6.6 and 6.6.7 of [1], a lot of questions emerge:
>
> (1) In section 6.6.6 it states: "If the input is an XPath node-set, this
>     node-set must be serialized first." An explicit statement how to
>     perform this serialization is missing here. Should Canonical XML
>     be used therefore?

According to the Reference Processing Model:

"If the data object is a node-set and the next transform requires octets, 
the signature application MUST attempt to convert the node-set to an octet 
stream using the specified canonicalization algorithm. Users may specify 
alternative transforms that override these defaults in transitions between 
transforms that expect different inputs."

However, both of these defaults are underspecified. We should add the 
default is Canonical XML for serialization, and XML1.0 well-formed 
processing for parsing. This then applies to any transform. I've tweaked 
these bullets accordingly.

> (2) The other question is, if it makes sence to perform a XML validation
>     transform at all, if the input is an XPath node set. Since the XPath
>     data model does not know about a DTD information item, I am not sure
>     what effects a validation transform should have in such a case?

None -- good point. I added a parenthetical: "(However, validating an XPath 
nodeset is of little use since the node-set will not have a Document Type 
Declaration associated with it.)"

> (3) I am not sure what should be the result of the XML schema validation
>     transfrom. The text in section 6.6.7 only says: "that the document
>     should be processed according to information within the resource
>     being transformed." But what does this mean? 

This means the document itself might have schema validation processing 
specified within itself. We want to punt on that issue (and as much as 
possible everything else) to the schema spec.

> Should the PSVI mapped to the output XPath node set?

No. This is orthogonal to the statement, but regaradless the XML Schema 
spec defines what changes are made to the Infoset by schema validation. 
(Very few, except for defaults attribute/content values). One could 
conceivable create a canonicalization that serialized the PSVI as well, but 
that's in the future.

> [1] http://www.w3.org/Signature/Drafts/xmldsig-core/

Received on Wednesday, 19 September 2001 17:21:53 UTC