Changes to C14N 2.0 from Pratik Datta on 2011-01-04 (public-xmlsec@w3.org from January 2011)

From: Pratik Datta <pratik.datta@oracle.com>
Date: Mon, 3 Jan 2011 23:28:17 -0800 (PST)
To: public-xmlsec@w3.org
Message-ID: <b1d161ac-7f9d-4490-a4c4-f76237c9bb93@default>

http://www.w3.org/2008/xmlsec/Drafts/c14n-20/ Version 03 Jan 2011

Made the following changes

- All changes decided in TPAC 2010 http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0006.html

- ACTION-680 scanning XPath for prefixes

- ACTION-692 hilight that Inclusive has been removed completely

- ACTION-712 XPathElement child of QNameAware

- ACTION-714 warning about not redefiniting xml and xmlns prefixes

- ACTION-715 scanning XPath for prefixes

While making the changes I realized a few problems

1. We removed Inclusing canonicalization completely, however the abstract of the document says "Canonical XML Version 2.0 is a major rewrite of Canonical XML Version 1.1 and Exclusive Canonical XML 1.0 . It combines inclusive and exclusive canonicalization algorithms into a single algorithm, that takes the canonicalization mode as a parameter." If we remove inclusive canonicalization , can we still say that Canonical XML 2.0 is a successor to Canonical XML 1.0?

2. Section "2.4 The need for Exlcusive Canonicalization" needs to be moved to a different location and also modified. It was written to introduce exclusive to people who were familiar with inclusive, however that doesn't apply any more since we removed inclusive.

3. Currently the behavior of TrimTextNodes parameter depends on xml:space= "preserve" . But this doesn't make sense in exclusive mode. Because we are not supposed to rely on ancestor context in exclusive mode.. I say that we completely ignore xml:space.

4. CURIE doesn't make sense in exclusive mode also. First of all we removed such a basic thing like Inclusive canonicalization. Should we even put in something like CURIE in C14N 2.0? Secondly we don't have the CURIE context in C14N 2.0, so how do we even do visibly utilized. E.g. in the following snippet <a prefix="cc: http://creativecommons.org/ns#" rel="cc:license"> the "cc:license" is a compact way for saying " http://creativecommons.org/ns#license" . But C14N 2.0 will not look at the prefix definition at all, so it cannot interpret this.

5. We are down to 4 parameters, and we are saying that only the default values are MANDATORY to implement. Non defaults are OPTIONAL. I suggest we make them all MANDATORY, otherwise certain basic things like the solution to the XPAth wrapping attack will not be available.

Pratik

Received on Tuesday, 4 January 2011 07:35:01 UTC