Re: Why is Except limited to local fragments?

The input to the decrypt tranform is a node set.  The decrypt transform
tries to decrypt all the <enc:EncryptedData> in this node set.  Since all
the node in the node set belong to the same document, there is no need to
specify any node outside of this document.
When the signature is a detached one, and the <Reference> refers to some
portion of an external XML document, the input node set to the decrypt
transform will be the node set of this external XML document.  So the
<Except URI="..."/> is always relative to the referenced document.
Does it make sense?


Hiroshi Maruyama
Technical Advisor to Director, Tokyo Research Laboratory

From: Joseph Reagle <> on 2002/02/28 06:53

Please respond to

Sent by:

To:   Takeshi Imamura/Japan/IBM@IBMJP, Hiroshi Maruyama/Japan/IBM@IBMJP
Subject:  Why is Except limited to local fragments?

I was just rereviewing [1] while getting it ready for CR publication and
had a substantive question: why must the Except URI's be "same document URI

references"? The schema says anyURI and this doesn't permit one to use a
detached signature...? (Maybe this has already been covered, but if so, I
forgot the reason! <smile/>)

The REQUIRED URI attribute value of the dcrpt:Except element MUST be a
non-empty same-document URI reference [URI] (i.e., a number sign ('#')
character followed by an XPointer expression (as profiled by
[XML-Signature, Section]) and identify an enc:EncryptedData.


Joseph Reagle Jr.       
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair
W3C XML Encryption Chair

Received on Thursday, 28 February 2002 00:00:32 UTC