W3C home > Mailing lists > Public > xml-encryption@w3.org > November 2001

Re: Decryption Transform comments

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Sun, 11 Nov 2001 10:25:33 -0500
Message-Id: <200111111525.KAA0000103491@torque.pothole.com>
To: <hirsch@zolera.com>
cc: <IMAMU@jp.ibm.com>, <xml-encryption@w3.org>

I believe XPath should add the namespace declaration to all descendent
elements. This behaviour, which destroys a good part of the
information about where namespace declarations were in the original
input, is one reason for the complexity of canonicalization...


From:  "Frederick Hirsch" <hirsch@zolera.com>
Reply-To:  <hirsch@zolera.com>
To:  <IMAMU@jp.ibm.com>
Cc:  <xml-encryption@w3.org>
Date:  Fri, 2 Nov 2001 14:28:56 -0500

>I was thinking of the document which will have a portion signed, but now I'm
>thinking this is an application issue, not a Transform issue.
>The reason I was thinking this was due to the exclusive canonicalization
>issues, and what happens when a portion of XML is signed and then possibly
>removed from the document along with the signature, as might occur with XML
>protocol applications.
>For example if foo:b is to be signed, then later removed from the document
>along with the signature:
><a xmlns:foo="http://www.foo.org/">
>   <foo:b>
>      <EncyptedData>...</EncryptedData>
>   </foo:b>
>I understand that the InfoSet includes the namespace declarations
>appropriate to b, so the question is when and how to correctly serialize -
>it could be the responsibility of the application when it removes the b
>element during processing. That is what makes sense to me, so there is no
>need to change the recommendation for this
>Earlier I was thinking this had to happen during signing (making the
>explicit namespace declaration in b). XPath will not necessarily add the
>namespace declaration to the b element (at least the processor I tried does
>not), so I believe canonicalization would be needed to force the explicit
>namespace declaration at b:
>   <foo:b xmlns:foo="http://www.foo.org/">
>      <EncyptedData>...</EncryptedData>
>   </foo:b>
>So the transforms would be canonicalize, Xpath and Decryption transform, in
>that order.
>But if it is up to the application after the signature has been created,
>then it is not a transform issue.
>Frederick Hirsch
>Zolera Systems, http://www.zolera.com/
>Information Integrity, XML Security
Received on Sunday, 11 November 2001 10:28:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:05 UTC