Re: serialization and xml wrapping

Hi Ari,

I think the text is a little but confusing; but the general gist
is the following:

[2] implicitly recommends using canonicalization to preserve
namespace information, so the ciphertext can be decrypted
in a new context. If you follow this recommendation, you
should emit xmlns="" where you usually wouldn't (at the top
of the document).

However, the wrapping of [1] is done to support the case where
people _don't_ use canonicalization, but instead expect to
inherit namespace information from the surrounding document.

So, the example doesn't follow our implicit recommendation
of using c14n, but instead relies on inheriting namespace
information from the surrounding document.

Does this make sense?

Merlin

r/arik@phaos.com/2002.09.20/16:46:21
>
>Dear All,
>
>I'm confused about the rules for augmenting/wrapping/parsing decrypted XML
>in XML Encryption and Decryption Transform. Given the example from [1]:
>
><!DOCTYPE Document [
>  <!ENTITY dsig "http://www.w3.org/2000/09/xmldsig#">
>]>
><Document xmlns="http://example.org/">
>  <foo:Body xmlns:foo="http://example.org/foo">
>    <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
>                   Type="http://www.w3.org/2001/04/xmlenc#Element">
>      ...
>    </EncryptedData>
>  </foo:Body>
></Document>
>
>Where the EncryptedData element decrypts to:
>
><One><foo:Two/></One>
>
>The text gives the following as the correct result:
>
><!DOCTYPE dummy [
>  <!ENTITY dsig "http://www.w3.org/2000/09/xmldsig#">
>]>
><dummy xmlns="http://example.org/"
>       xmlns:foo="http://example.org/foo"><One><foo:Two/></One></dummy>
>
>However, [2] indicates that <Foo/> parsed in the context of:
>
><Bar xmlns="http://example.org/bar"/>
>
>Should be augmented to produce:
>
><Bar xmlns="http://example.org/bar"><Foo xmlns="" /></Bar>
>
>Wouldn't this mean that the example from [1] should give the result as:
>
><!DOCTYPE dummy [
>  <!ENTITY dsig "http://www.w3.org/2000/09/xmldsig#">
>]>
><dummy xmlns="http://example.org/"
>       xmlns:foo="http://example.org/foo"><One
>xmlns=""><foo:Two/></One></dummy>
>
>But this doesn't make sense to me, since the point of giving the parsing
>context to the dummy element is to make sure that inherited namespaces *are*
>transmitted to the wrapped XML.
>
>Further: [3] indicates, for Step 2 of  decryptXML(N, E), that: "A namespace
>declaration xmlns="" MUST be emitted with every apex element that has no
>namespace prefix and URI as described in Serializing XML [XML-Encryption,
>section 4.3.3]". Firstly, we're talking about the apex elements in a
>node-set, which might include namespace nodes for the default namespace
>inherited from the dummy element in prior wrapping/parsing -- this means
>that an element without a namespace prefix is not necessarily without a
>namespace, and emitting xmlns="" would conflict with emission of the
>namespace node in the node-set.
>
>What am I missing?
>
>Thanks,
>Ari Kermaier
>
>-----------------
>[1]  http://www.w3.org/TR/xmlenc-core/#sec-Text-Wrapping
>[2]  http://www.w3.org/TR/xmlenc-core/#sec-Serializing-XML
>[3]
>http://www.w3.org/Encryption/2001/Drafts/xmlenc-decrypt.html#sec-xml-process
>ing
>

Received on Thursday, 26 September 2002 15:18:40 UTC