Re: Why is Except limited to local fragments? from merlin on 2002-04-04 (xml-encryption@w3.org from April 2002)

From: merlin <merlin@baltimore.ie>
Date: Thu, 04 Apr 2002 18:31:37 +0100
To: reagle@w3.org
Cc: "Takeshi Imamura" <IMAMU@jp.ibm.com>, xml-encryption@w3.org
Message-Id: <20020404173137.4D5D243BEA@yog-sothoth.ie.baltimore.com>

Being able to specify a document containing encrypted non-XML data at
a location other than the root would be convenient for some situations,
but can be solved with an XPath transform.

I view this as similar to the base-64 transform: It can take XML input
and will discard non-text nodes.  We could have required an explicit XPath
self::text() transform, but we chose to make the text-node filtering
implicit because XPath support is not REQUIRED by dsig.

So yes, like the base-64 transform, the other nodes are simply thrown
away. Implicit operations like this do raise 'know what was signed'
concerns, but they are not new to dsig.

However, absent any other desire for this use, I'm happy to defer to
Takeshi's text.

Merlin

r/reagle@w3.org/2002.03.27/18:21:21
>[Merlin, question for you at the bottom.]
>
>On Friday 22 March 2002 14:07, Takeshi Imamura wrote:
>> necessary:
>> >http://www.w3.org/Encryption/2001/Drafts/xmlenc-decrypt
>> >$Revision: 1.36 $ on $Date: 2002/03/18 18:45:50 $ GMT by $Author: reagle
>> > $
>> >
>> >o If an xenc:EncryptedData being decrypted is the first node in X, the
>> >value of its Type attribute MUST NOT be &xenc;Content. This ensures the
>> >result is always rooted by a single element.
>
>Ok, reflected in:
>
>http://www.w3.org/Encryption/2001/Drafts/xmlenc-decrypt 
> $Revision: 1.37 $ on $Date: 2002/03/27 23:17:41 $ GMT by $Author: reagle $
>
>
>> This ensures that if Type is Element, the result is a single-rooted
>> node-set, and otherwise, the result is binary data.
>>
>> >If the xenc:EncryptedData is not the first node in X and its type is
>> >neither &xenc;Element nor &xenc;Content, then it MUST be the only
>> >xenc:EncryptedData in X not referenced by an Except element. This
>> > prevents the mixed decryption of XML and non-XML data and restricts the
>> > decryption transform to a single piece of binary data.
>>
>> Sorry, I don't understand this.  In this case, after decryption, how are
>> nodes other than the EncryptedData element node and its descendant nodes
>> treated?  Are they thrown away?  If yes, it seems strange to me.  I would
>> like to propose the text like "If an xenc:EncryptedData element node
>> being decrypted is not the first node in X, the value of its Type
>> attribute MUST be &xenc;Element or &xenc;Content.  This ensures that the
>> result is always a node-set."  How do you feel?
>
>I find your text much simpler, however Merlin is the one that proposed the 
>present text and wants to be able to pull a single chunk of binary data out 
>of an XML document, so I'd like him to respond to your question.
>
>-- 
>
>Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
>W3C Policy Analyst                mailto:reagle@w3.org
>IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
>W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
>


-----------------------------------------------------------------------------
Baltimore Technologies plc will not be liable for direct,  special,  indirect 
or consequential  damages  arising  from  alteration of  the contents of this
message by a third party or as a result of any virus being passed on.

This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
   http://www.baltimore.com

Received on Thursday, 4 April 2002 12:31:59 UTC