- From: Takeshi Imamura <IMAMU@jp.ibm.com>
- Date: Fri, 1 Mar 2002 17:54:46 +0900
- To: reagle@w3.org
- Cc: "Hiroshi Maruyama" <MARUYAMA@jp.ibm.com>, xml-encryption@w3.org
Thanks, Joseph. It looks good, but a parenthesis is missing after "[XML-Signature, Section 4.3.3.2])". As to IDREF vs. non-empty same-document URI reference, IDREF would be sufficient for most cases, but we should not preclude a case where an XPointer is used because one may use it. Note, we should specify all support for XPointers except barename XPointer and "#xpointer(id('ID'))" as OPTIONAL, like XML-Signature. Thanks, Takeshi IMAMURA Tokyo Research Laboratory IBM Research imamu@jp.ibm.com From: Joseph Reagle <reagle@w3.org>@w3.org on 2002/03/01 04:30 Please respond to reagle@w3.org Sent by: xml-encryption-request@w3.org To: Hiroshi Maruyama/Japan/IBM@IBMJP cc: Takeshi Imamura/Japan/IBM@IBMJP, xml-encryption@w3.org Subject: Re: Why is Except limited to local fragments? On Thursday 28 February 2002 00:00, Hiroshi Maruyama wrote: > The input to the decrypt tranform is a node set. The decrypt transform > tries to decrypt all the <enc:EncryptedData> in this node set. Since all > the node in the node set belong to the same document, there is no need to > specify any node outside of this document. > When the signature is a detached one, and the <Reference> refers to some > portion of an external XML document, the input node set to the decrypt > transform will be the node set of this external XML document. So the > <Except URI="..."/> is always relative to the referenced document. > Does it make sense? Yes, I've tweaked the text in section two to hopefully remove some redundancy and make this more clear [1]. As an aside, did we consider the use of IDREF or is the "non-empty same-document URI reference [URI] (i.e., a number sign ('#') character followed by an XPointer expression (as profiled by [XML-Signature, Section 4.3.3.2])" give us something better than that? [1] 2 Decryption Transform This transform requires an XPath node-set [XPath] for input. If an octet stream is given as input, it must be converted to a node-set as described in The Reference Processing Model (section 4.3.3.2) of the XML Signature specification [XML-Signature]. The transform decrypts all the enc:EncryptedData elements [XML-Encryption] except for those specified by dcrpt:Except elements. dcrpt:Except is defined below via XML Schema [XML-Schema] and appears as direct child elements of the ds:Transform element. The REQUIRED URI attribute value of the dcrpt:Except element MUST be a non-empty same-document URI reference [URI] (i.e., a number sign ('#') character followed by an XPointer expression (as profiled by [XML-Signature, Section 4.3.3.2]) and identify an enc:EncryptedData within the input to this transform. -- Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Friday, 1 March 2002 03:54:55 UTC