- From: Ari Kermaier <arik@phaos.com>
- Date: Thu, 02 May 2002 13:56:35 -0400
- To: merlin <merlin@baltimore.ie>
- Cc: xml-encryption@w3.org
>My problem with iteration is: > <Foo Id="foo"> > <EncryptedData> > <!-- what was formerly > <Bar> > <EncryptedData Id="enc-1" /> > <EncryptedData Id="enc-2" /> --> > </EncryptedData> > </Foo> > >I can't run this through: > Signature URI="#foo" > Decrypt-Transform Except="#enc-2" > >During round 1, we get back a new node set with the original >pair of EncryptedData, but the URI #enc-2 will no longer resolve >because round 2 is processing a different document. So, >suggesting that this transform can handle multiple encryption >will only mislead people without a warning that Except elements >won't work for multiply-encrypted data. Somewhat more to the >point; because our Except references will no longer apply to >the new document, round 2 will try and decrypt every >EncryptedData that was excepted from round 1. I don't understand -- why wouldn't URI="#enc-2" resolve? The spec states in the last paragraph of section 2.1, [...] When dereferencing dcrpt:Except URIs, the application MUST behave as if the root document node of the input node set isused to initialize the [XPointer] evaluation context, even if this node is not part of the node set. Unlike [XML-Signature], the URI may be evaluated against a different document from the signature document." In round 2 we re-initialize the evaluation context to the root document node for X, regardless of the consideration that X may be a node-set over a new document. Ari Kermaier arik@phaos.com Senior Software Engineer Phaos Technology Corp. http://www.phaos.com/
Received on Thursday, 2 May 2002 13:53:23 UTC