RE: Question on canonicalization and namespaces from Christian Geuer-Pollmann on 2002-09-30 (w3c-ietf-xmldsig@w3.org from July to September 2002)

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Mon, 30 Sep 2002 17:55:12 +0200
To: "Spielman, Terence" <TSpielma@inovant.com>, "'w3c-ietf-xmldsig@w3.org'" <w3c-ietf-xmldsig@w3.org>
Cc: "'reagle@w3.org'" <reagle@w3.org>
Message-ID: <28152130.1033408512@pinkpanther>

--On Monday, September 30, 2002 8:05 AM -0700 "Spielman, Terence" 
<TSpielma@inovant.com> wrote:

>
> Sorry to revive a dead topic, but it's been pointed out to me
> that the answer I received on this list might be erroneous.
>
>> > If anyone could quickly answer the following yes/no questions as
>> > well, I would appreciate it.  Based on my readings of the specs
>> > (XML, Namespaces, XMLDSIG), my answers are in square brackets.
>> >
>> > 1) Is it required that the Signature element have a namespace
>> >    node with a value of "http://www.w3.org/2000/09/xmldsig#"?
>> >    [No if the XML need only be well-formed and Yes otherwise]
>>
>> Yes. The Signature element must be bound to that namespace.
>> This can look
>> like this:
>>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" >...</Signature>
>>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>> > ...</ds:Signature>
>>
>> or even
>>
>> <doc xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>    <ds:Signature>....</ds:Signature>
>> </doc>
>>
>> In the latter case, there is no DOM node (no 'Attribute') in the
>> ds:Signature element, but the namespace is in scope.
>>
>
> I understand both of these example, in which the namespace is
> eitehr explicitly declared in the Signature element or inherited,
> but the XML DSIG DTD states the following:
>
>    <!ATTLIST Signature
>     xmlns   CDATA   #FIXED 'http://www.w3.org/2000/09/xmldsig#'
>     Id      ID  #IMPLIED >
>
> And #FIXED means that if the xmlns is omitted, it will take the value of
> specified above.  This would lead me to believe that the xmlns attribute
> does NOT explicitly need to be included or inherited.  Although this does
> disturb me.  Can anyone set me straight?
>
> Thanks!
> Terence

I guess that there is a bit confusion between the XML Information Set and 
the serialized form of XML: Given a document which does *not* explicitly 
specify the xmlns="http://www.w3.org/2000/09/xmldsig#" in a <Signature> 
element. If you parse this document, the namespace NODE *is* there, even if 
you don't see it in the serialized form (which is only octets). But the 
node (in the XPath data model) MUST be there.

My personal opinion is that it's a bad idea to omit namespace declarations 
from an XML instance and to hope that the gaps are filled by a validating 
parser. Omitting things (like default attributes) and then creating 
signatures is not that nice, because a signature should be explicit on what 
was signed.

The DTD above is included in the dsig spec as during the creation of this 
spec, schemas were not fully finished.

Christian

Received on Monday, 30 September 2002 11:55:02 UTC