Re: Why is Except limited to local fragments? from Takeshi Imamura on 2002-03-01 (xml-encryption@w3.org from March 2002)

From: Takeshi Imamura <IMAMU@jp.ibm.com>
Date: Fri, 1 Mar 2002 17:54:46 +0900
To: reagle@w3.org
Cc: "Hiroshi Maruyama" <MARUYAMA@jp.ibm.com>, xml-encryption@w3.org
Message-ID: <OFA418E3D8.6C4ED751-ON49256B6F.002AEB2F@LocalDomain>

Thanks, Joseph.  It looks good, but a parenthesis is missing after
"[XML-Signature, Section 4.3.3.2])".

As to IDREF vs. non-empty same-document URI reference, IDREF would be
sufficient for most cases, but we should not preclude a case where an
XPointer is used because one may use it.  Note, we should specify all
support for XPointers except barename XPointer and "#xpointer(id('ID'))" as
OPTIONAL, like XML-Signature.

Thanks,
Takeshi IMAMURA
Tokyo Research Laboratory
IBM Research
imamu@jp.ibm.com

From: Joseph Reagle <reagle@w3.org>@w3.org on 2002/03/01 04:30

Please respond to reagle@w3.org

Sent by:  xml-encryption-request@w3.org

To:   Hiroshi Maruyama/Japan/IBM@IBMJP
cc:   Takeshi Imamura/Japan/IBM@IBMJP, xml-encryption@w3.org
Subject:  Re: Why is Except limited to local fragments?

On Thursday 28 February 2002 00:00, Hiroshi Maruyama wrote:
> The input to the decrypt tranform is a node set.  The decrypt transform
> tries to decrypt all the <enc:EncryptedData> in this node set.  Since all
> the node in the node set belong to the same document, there is no need to
> specify any node outside of this document.
> When the signature is a detached one, and the <Reference> refers to some
> portion of an external XML document, the input node set to the decrypt
> transform will be the node set of this external XML document.  So the
> <Except URI="..."/> is always relative to the referenced document.
> Does it make sense?

Yes, I've tweaked the text in section two to hopefully remove some
redundancy and make this more clear [1]. As an aside, did we consider the
use of IDREF or is the "non-empty same-document URI reference [URI] (i.e.,
a number sign ('#') character followed by an XPointer expression (as
profiled by [XML-Signature, Section 4.3.3.2])" give us something better
than that?

[1] 2 Decryption Transform
This transform requires an XPath node-set [XPath] for input. If an octet
stream is given as input, it must be converted to a node-set as described
in The Reference Processing Model (section 4.3.3.2) of the XML Signature
specification [XML-Signature]. The transform decrypts all the
enc:EncryptedData elements [XML-Encryption] except for those specified by
dcrpt:Except elements. dcrpt:Except is defined below via XML Schema
[XML-Schema] and appears as direct child elements of the ds:Transform
element.
The REQUIRED URI attribute value of the dcrpt:Except element MUST be a
non-empty same-document URI reference [URI] (i.e., a number sign ('#')
character followed by an XPointer expression (as profiled by
[XML-Signature, Section 4.3.3.2]) and identify an enc:EncryptedData within
the input to this transform.

--

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Friday, 1 March 2002 03:54:55 UTC