EXC-XML-C14N ambiguity in processing InclusiveNamespaces PrefixList with undefined prefix from sampo@zxidp.org on 2010-10-07 (w3c-ietf-xmldsig@w3.org from October to December 2010)

From: <sampo@zxidp.org>
Date: Thu, 7 Oct 2010 03:30:11 +0200 (CEST)
To: w3c-ietf-xmldsig@w3.org
Cc: sampo@zxidp.org
Message-Id: <20101007013011.9083E21F3B@mail.zxidp.org>

The specification [XML-EXC-C14N] does not state how a namespace prefix, not

defined earlier in the document, should be processed. Section 3, bullet 2

does not help much as it seems to assume input where the prefixes are

always well defined. Similarily section 3.1 bullet 3.2.1 seems to assume

that all prefixes in the PrefixList are well defined.



My interpretation is that the undefined prefixes are errors that should

cause digital signature to be rejected. However I have been challenged

by some vendors on the market, claiming that their signatures with

undefined prefixes in InclusiveNamespaces PrefixList are indeed valid

as the specification does not expressly forbid such undefined

prefixes.



I think the specifications should be more clear on this issue. I would

hope for errata to be released to clarify this.



[XML-EXC-C14N] John Boyer, Donald E. Eastlake 3rd, Joseph Reagle: "Exclusive

  XML Canonicalization Version 1.0", W3C Recommendation 18 July 2002,

  http://www.w3.org/TR/xml-exc-c14n/



--Sampo

Received on Thursday, 7 October 2010 17:58:45 UTC