[xmlsec] XPATH and Visa 3D-secure specification

Aleksey Sanin aleksey@aleksey.com
Thu, 25 Sep 2003 08:34:41 -0700 

This is a multi-part message in MIME format.
--------------070609040805010804040202
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Well, this is not quite true. I looked into this question and there is a 
clause in XPointer
spec that allows this:
       http://www.w3.org/TR/xptr-framework/#shorthand

      A shorthand pointer, formerly known as a barename, consists of an 
NCName alone. It identifies
     at most one element in the resource's information set; 
specifically, the first one (if any) in document
     order that has a matching NCName as an identifier. The identifiers 
of an element are determined
     as follows:

   1.

      If an element information item has an attribute information item
      among its *[attributes]* that
      is a schema-determined ID, then it is identified by the value of
      that attribute information item's
      *[schema normalized value]* property;

   2.

      If an element information item has an element information item
      among its *[children]* that is
      a schema-determined ID, then it is identified by the value of that
      element information item's
      *[schema normalized value]* property;

   3.

      If an element information item has an attribute information item
      among its *[attributes]* that is
      a DTD-determined ID, then it is identified by the value of that
      attribute information item's
      *[normalized value]* property.

   4.

      An element information item may also be identified by an
      externally-determined ID value.

    ....

    [Definition: An *externally-determined ID* is a string, representing 
an element identifier, whose value is
    determined by the application through mechanisms outside the scope 
of this specification.]


Note option 4) and definition for it :( Of course, this is not 
interoperable solution. But when I had
a private chat about that with one Visa3D guys he basically said that 
the system they use internally
has no problems thus they don't care.

It's sucks but I don't see any option other than hacking LibXML2. Of 
course, this is a worst idea
one can ever imagine but that's all I have.


Aleksey



Rich Salz wrote:

>> <PARes id="ABC/D+">
>> ....
>> </PARes><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> ....
>> <Reference URI="#ABC/D+">
>
>
> This is not conformant with the XML DSIG spec and XPath has nothing to 
> do with it.  See sections 4.3.3.2 and 4.3.3.3; in particular, the 
> final example in 4.3.3.2 and the following quote from the start of 
> 4.3.3.3
>      In a fragment URI, the characters are the number sign
>      ('#') character conform to the XPointer syntax.
>
> If you follow the link in the XML DSIG spec, you are redirected to a 
> newer W3C document, (the XPointer framework) which explains that this 
> must refer to an XML ID.
>
>     /r$


--------------070609040805010804040202
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Well, this is not quite true. I looked into this question and there is
a clause in XPointer<br>
spec that allows this:<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; <a class="moz-txt-link-freetext" href="http://www.w3.org/TR/xptr-framework/#shorthand">http://www.w3.org/TR/xptr-framework/#shorthand</a><br>
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A shorthand pointer, formerly known as a barename, consists of
an NCName
alone. It identifies <br>
&nbsp;&nbsp;&nbsp;&nbsp; at most one element in the resource's information
set; specifically, the first one (if any) in document <br>
&nbsp;&nbsp;&nbsp;&nbsp; order that has a
matching NCName as an identifier. The identifiers of an element are
determined <br>
&nbsp;&nbsp;&nbsp;&nbsp; as follows:</p>
<ol type="1">
  <li>
    <p>If an element information item has an attribute information item
among its <b>[attributes]</b> that <br>
is a schema-determined ID,
then it is identified by the value of that attribute information item's
    <br>
    <b>[schema normalized
value]</b> property;</p>
  </li>
  <li>
    <p>If an element information item has an element information item
among its <b>[children]</b> that is <br>
a schema-determined ID,
then it is identified by the value of that element information item's <br>
    <b>[schema normalized
value]</b> property;</p>
  </li>
  <li>
    <p>If an element information item has an attribute information item
among its <b>[attributes]</b> that is <br>
a DTD-determined ID,
then it is identified by the value of that attribute information item's
    <br>
    <b>[normalized
value]</b> property.</p>
  </li>
  <li>
    <p>An element information item may also be identified by an
externally-determined ID value.</p>
  </li>
</ol>
&nbsp;&nbsp;&nbsp; ....<br>
<br>
&nbsp;&nbsp;&nbsp; [<a name="term-xdi" id="term-xdi" title="externally-determined ID">Definition</a>:
An <b>externally-determined ID</b>
is a string, representing an element identifier, whose value is
<br>
&nbsp;&nbsp;&nbsp; determined by the application through mechanisms outside the scope
of
this specification.]<br>
<br>
<br>
Note option 4) and definition for it :( Of course, this is not
interoperable solution. But when I had <br>
a private chat about that with one Visa3D guys he basically said that
the system they use internally<br>
has no problems thus they don't care.<br>
<br>
It's sucks but I don't see any option other than hacking LibXML2. Of
course, this is a worst idea<br>
one can ever imagine but that's all I have.<br>
<br>
<br>
Aleksey<br>
<br>
<br>
<br>
Rich Salz wrote:<br>
<blockquote type="cite" cite="mid3F73084B.5050100@datapower.com">
  <blockquote type="cite">&lt;PARes id="ABC/D+"&gt;
    <br>
....
    <br>
&lt;/PARes&gt;&lt;Signature
xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>&gt;
    <br>
....
    <br>
&lt;Reference URI="#ABC/D+"&gt;
    <br>
  </blockquote>
  <br>
This is not conformant with the XML DSIG spec and XPath has nothing to
do with it.&nbsp; See sections 4.3.3.2 and 4.3.3.3; in particular, the final
example in 4.3.3.2 and the following quote from the start of 4.3.3.3
  <br>
&nbsp;&nbsp;&nbsp;&nbsp; In a fragment URI, the characters are the number sign
  <br>
&nbsp;&nbsp;&nbsp;&nbsp; ('#') character conform to the XPointer syntax.
  <br>
  <br>
If you follow the link in the XML DSIG spec, you are redirected to a
newer W3C document, (the XPointer framework) which explains that this
must refer to an XML ID.
  <br>
  <br>
&nbsp;&nbsp;&nbsp;&nbsp;/r$
  <br>
</blockquote>
</body>
</html>

--------------070609040805010804040202--