Re: Why is Except limited to local fragments?

>> We may need a fragment of text to further clarify XPointer support
>> when it is applied to a different document from the signature.
>> In such a case, here() is an error and the XPointer initial context
>> is the root of the new document? We don't have this problem with
>> XPointers in dsig because they always refer to the same document.
>I'm not sure I understand this, I'll defer to the authors. <smile/>

Merlin, you are right.  As you say, we should add some text for XPointer
support.  Can you suggest it?

>> On a separate note, should we profile the decryption transform to
>> allow non-XML content (output is an octet stream)?
>We discussed the scenario below in September and Hiroshi suggested we
>need a new function:
>  Instead, we should define a new function that decrypts an
>  xenc:EncryptedData element with a type other than Element
>  or Content to an octet stream.  Also we have to state that
>  when such an xenc:EncryptedData element is being
>  decrypted, the input to the transform has to be a node-set
>  that has the xenc:EncryptedData element as the first node.
>As is my tendency I tend not to push for something unless someone says
>want it. Hiroshi/Takeshi, is Merlin's usage scenario the same as what you
>were thinking? If so, would you like to propose some text?

If such a scenario is necessary, we could support it by changing the
processing rules slightly.  They would be roughly as follows:

Z = decryptIncludedNodes(X, R)
1. Select an EncryptedData element within X (say e) that is not referenced
by any Except element in R, or return X if such e cannot be selected.
2. If the value of the Type attribute of e is Element or Content,
     2.1. Let C be a parsing context of X.
     2.2. Let Y be decrypt1(X, e, C).  If this function succeeds, replace X
with Y.
     2.3. Go to Step 1.
     2.4. Let Y' be decrypt2(X, e).
     2.5. Return Y'.

Y = decrypt1(X, e, C)
1. Let Y' be decrypt2(X, e).
2. Wrap Y'in the context of C into an octet stream.
3. Parse the octet stream into a node-set.
4. Trim the node-set into Y.
5. Return Y.

Y' = decrypt2(X, e)
1. Convert X into an octet stream.
2. Decrypt the element corresponding to e and replace it with the resulting
octet stream into Y'.
3. Return Y'.

Note that the input is still a node-set and the output is a node-set or
octet stream depending on the input.

Tokyo Research Laboratory
IBM Research

Received on Monday, 4 March 2002 11:19:43 UTC