Re: XML Base and XPath absolutizing of URIs from Donald E. Eastlake 3rd on 2000-06-08 (www-xml-linking-comments@w3.org from April to June 2000)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Thu, 08 Jun 2000 18:55:10 -0400
To: "John Boyer" <jboyer@PureEdge.com>
cc: "XML DSig" <w3c-ietf-xmldsig@w3.org>, <xml-uri@w3.org>, <www-xpath-comments@w3.org>, <www-xml-linking-comments@w3.org>
Message-Id: <200006082255.SAA25615@torque.pothole.com>

Hi John,

From:  "John Boyer" <jboyer@PureEdge.com>
To:  "Joseph M. Reagle Jr." <reagle@w3.org>
Cc:  "XML DSig" <w3c-ietf-xmldsig@w3.org>, <elm@east.sun.com>, <xml-uri@w3.org>,
            <www-xpath-comments@w3.org>, <www-xml-linking-comments@w3.org>,
            <Daniel.Veillard@w3.org>, <connolly@w3.org>
Date:  Thu, 8 Jun 2000 14:43:01 -0700
Message-ID:  <BFEDKCINEPLBDLODCODKGEDHCDAA.jboyer@PureEdge.com>
In-Reply-To:  <3.0.5.32.20000608114527.009c9be0@localhost>

>Hi Joseph,
>
>...
>
>Well, there's no point in doing this.  The document's interpretation cannot
>be the subject of serious debate unless it is digitally signed.  Even with
>an absolute URI, it cannot be guaranteed that the target remains unchanged.
>In other words, if you want to claim that the namespace URI is something
>more than a string, that it imparts meaning to the document, then you will
>be lost unless you compare not URIs but the contents at the URI.  If the

Why? Won't many programs look for certain well known namespaces like
the one for XMLDSIG without caring in the slightest whether they point
to anything, let along whether it has changed...?

>content changes, then it does not matter that the URI has not.  The only way
>to do this is to store, within the source document, a digest of the result
>of dereferencing the namespace URI.  Now, please don't flood my email box
>with statements about how this violates the namespace recommendation because
>I am aware of the fact that the namespace rec says that-- that's the bone of
>contention people are having in the first place.  All I'm saying is that
>absolutizing the URIs is also a violation of the same rec, which says they
>should be treated like strings, but if you do want to violate that rec, then
>you should first consider the fact that it does you no good.
>
>Whether specified by absolute or relative URI, the digest value of the
>namespace qualifying document can be included in a digital signature (if the
>namespace URI truly does point to something meaningful).  Once the signature
>is effected, the relative URI can remain as long as it always points to a
>document with precisely the same digest value (possibly after
>canonicalization or other transforms).

I agree that including a reference to the content pointed to by a
namespace URI in an XML digital signature can be a useful technique
under some circumstances.

>
>...
>
>John Boyer
>Software Development Manager
>PureEdge Solutions Inc. (formerly UWI.Com)
>Creating Binding E-Commerce
>jboyer@PureEdge.com

Donald

Received on Thursday, 8 June 2000 18:53:28 UTC