XMLSec comments and recommended changes to C14N11 specification

The XML Security Specifications Maintenance WG has reviewed C14N11  
[1] and has the following comments and proposed changes.

(1) Change the first sentence in the Abstract from

"Canonical XML 1.1 is a revision to Canonical XML 1.0 to address  
issues raised while producing the xml:id specification."

to

"Canonical XML 1.1 is a revision to Canonical XML 1.0 to address  
issues related to inheritance of attributes in the XML namespace when  
canonicalizing document subsets, including the requirement not to  
inherit xml:id, and to treat xml:base URI path processing properly."

This should clarify the reasons for the C14N11 revision rather than  
the process used to reach the changes.

(2) Change the abstract and also the introduction to clarify the  
relationship to XML 1.0 and XML 1.1.

It is not clear in the C14N11 specification [1] that it is  only  
applicable to XML 1.0 and not XML 1.1 since it is not explicitly  
stated. There is also possible confusion about XPath versions.

Recommendation: Add the following statement to the text in both the  
abstract also the introduction to make this explicit:

"C14N11 is applicable to XML 1.0 and defined in terms of the XPath  
1.0 data model. It is not defined for XML 1.1."

(3) Add hyperlinks to the reference to RFC 3986 ([URI]) from the  
references to RFC 3986 in the fifth paragraph and bullets in Section  
2.4 [2]

(4) In section 2.4, Document Subsets, for clarity use the same  
notation for X and E values, e.g. state in
next to last paragraph in document subset section [2]:

"In that case let Xm ... X1 be the values of the xml:base attributes  
on En...E1 (in order from outermost to innermost). The sequence of  
values is reduced to a single value by first combining Xm with Xm-1,   
then the result with Xm-2, and so on"

instead of

"In that case let X1 ... Xm be the values of the xml:base attributes  
on En...E1 (in order from outermost to innermost). The sequence of  
values is reduced to a single value by first combining X1 with X2,  
then the result with X3, and so on"

(5) Add the following as a new paragraph at the end of section 2.4,  
Document Subsets:

"Attributes in the XML namespace other than xml:base, xml:id,  
xml:lang, and xml:space MUST be processed as ordinary attributes."

This provides guidance regarding expectations regarding possible new  
attributes in the XML namespace. In conjunction with this (but not  
for this document) when new attributes are defined in the xml  
namespace, security considerations and canonicalization  
considerations should be outlined.

(6) Add another example to section 3 showing handling of xml:id and   
xml:base for document subset, e.g.:
---
3.8 Document Subsets and XML attributes

Input

<!DOCTYPE doc [
<!ATTLIST e2 xml:space (default|preserve) 'preserve'>
<!ATTLIST e3 id ID #IMPLIED>
]>
<doc xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"
       xml:base="http://www.example.com/something/else">
     <e1>
        <e2 xmlns="" xml:id="abc" xml:base="../bar/">
           <e3 id="E3" xml:base="foo"/>
        </e2>
     </e1>
</doc>

Document Subset Expression (same as 3.7)
<!-- Evaluate with declaration xmlns:ietf="http://www.ietf.org" -->

(//. | //@* | //namespace::*)
[
     self::ietf:e1 or (parent::ietf:e1 and not(self::text() or  
self::e2))
     or
     count(id("E3")|ancestor-or-self::node()) = count(ancestor-or-
self::node())
]

Canonical Form

<e1 xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"><e3
xmlns="" id="E3" xml:base="http://www.example.com/bar/foo"
xml:space="preserve"></e3> </e1>

Demonstrates:
xml:id not inherited.
simple inheritable XML attribute inherited (xml:space)
xml:base fixup performed
---

The rationale is that there is no example for xml:id and xml:base  
handling in this section.

Thank you

regards, Frederick

Frederick Hirsch,  Nokia
Chair, XML Security Specifications Maintenance WG

[1] <http://www.w3.org/TR/xml-c14n11/>

[2] <http://www.w3.org/TR/xml-c14n11/#DocSubsets>

Received on Friday, 4 May 2007 18:11:15 UTC