- From: Ari Kermaier <arik@phaos.com>
- Date: Thu, 02 May 2002 13:56:35 -0400
- To: merlin <merlin@baltimore.ie>
- Cc: xml-encryption@w3.org
>My problem with iteration is:
> <Foo Id="foo">
> <EncryptedData>
> <!-- what was formerly
> <Bar>
> <EncryptedData Id="enc-1" />
> <EncryptedData Id="enc-2" /> -->
> </EncryptedData>
> </Foo>
>
>I can't run this through:
> Signature URI="#foo"
> Decrypt-Transform Except="#enc-2"
>
>During round 1, we get back a new node set with the original
>pair of EncryptedData, but the URI #enc-2 will no longer resolve
>because round 2 is processing a different document. So,
>suggesting that this transform can handle multiple encryption
>will only mislead people without a warning that Except elements
>won't work for multiply-encrypted data. Somewhat more to the
>point; because our Except references will no longer apply to
>the new document, round 2 will try and decrypt every
>EncryptedData that was excepted from round 1.
I don't understand -- why wouldn't URI="#enc-2" resolve? The spec states in
the last paragraph of section 2.1,
[...] When dereferencing dcrpt:Except URIs, the application
MUST behave as if the root document node of the input node
set isused to initialize the [XPointer] evaluation context, even
if this node is not part of the node set. Unlike [XML-Signature],
the URI may be evaluated against a different document from
the signature document."
In round 2 we re-initialize the evaluation context to the root document
node for X, regardless of the consideration that X may be a node-set over a
new document.
Ari Kermaier arik@phaos.com
Senior Software Engineer
Phaos Technology Corp. http://www.phaos.com/
Received on Thursday, 2 May 2002 13:53:23 UTC