Re: RE: [wss] RE: [wss-comment] Id clash case

[Manveen Kaur <Manveen.Kaur@Sun.COM>]

I would request the OASIS WSS TC to consider opening this as an open
issue so we can track it and it doesn't fall through the cracks.

Thanks,
Manveen

----- Original Message -----
From: Michael McIntosh <mikemci@us.ibm.com>
Date: Wednesday, April 27, 2005 7:37 am
Subject: RE: [wss] RE: [wss-comment] Id clash case

> "Paul Cotton" <pcotton@microsoft.com> wrote on 04/27/2005 10:08:19 AM:
> 
> > Manveen originally asked:
> > > It is not clearly stated what should happen when a wsu:Id or 
> another 
> > > form of ID do clash?
> > 
> > Michael McIntosh stated:
> > > I think WS-Security should (as it does) make it clear that the
> > presence of
> > > multiple IDs with the same value should not be allowed.
> > 
> > WSS 1.0 currently states:
> > > "Two wsu:Id attributes within an XML document MUST NOT have the 
> same> > value.
> > 
> > As Manveen has pointed out, I do not think that WS-Security clearly
> > handles the case where a wsu:id attribute has the same value as 
> another> id attribute that is NOT from the wsu namespace e.g. 
> xml:id. 
> > 
> > Mike: Do you want to extend the WSS uniqueness constraint to 
> cover the
> > case where another id attribute (not in the wsu namespace) has 
> the same
> > value as a wsu:id attribute? 
> 
> I think that is what was intended - the addtion of other forms of 
> ID came 
> late and it looks like this case was not properly covered in the 
> added 
> text.
> 
> > 
> > /paulc
> > 
> > Paul Cotton, Microsoft Canada 
> > 17 Eleanor Drive, Nepean, Ontario K2E 6A3 
> > Tel: (613) 225-5445 Fax: (425) 936-7329 
> > mailto:pcotton@microsoft.com
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Michael McIntosh [mailto:mikemci@us.ibm.com]
> > > Sent: April 27, 2005 8:05 AM
> > > To: Paul Cotton
> > > Cc: Manveen Kaur; wss@lists.oasis-open.org
> > > Subject: Re: [wss] RE: [wss-comment] Id clash case
> > > 
> > > "Paul Cotton" <pcotton@microsoft.com> wrote on 04/26/2005 
> 08:32:10 PM:
> > > 
> > > > ? moving discussion to the TC email list:
> > > >
> > > > Another source of information on the processing of id 
> attributes is
> > > > the new W3C xml:id WD:
> > > > http://www.w3.org/TR/xml-id/
> > > >
> > > > Note that even this specification does NOT enforce the 
> uniqueness> > > constraint with a MUST:
> > > > ?An xml:id processor should assure that the following 
> constraints> hold:
> > > > *         The values of all xml:id attributes and all 
> attributes of
> > > > type ?ID? within a document are unique.?
> > > > And to make the puzzle complete even when the above 
> constraint is
> > > > upheld by the xml:id processor then the error is non-fatal:
> > > > [Definition: An xml:id error is a non-fatal error that occurs 
> when> an
> > > > xml:id processor finds that a document has violated the 
> constraints> > > of this specification.]
> > > > So it appears to me that the semantics of what happens for 
> duplicate> > > ids is determined at the application level.
> > > 
> > > I think WS-Security should (as it does) make it clear that the
> > presence of
> > > multiple IDs with the same value should not be allowed. One of the
> > > elements with the same ID value could be signed and verified by 
> the> > security layer, while a second unsigned element with the 
> same ID value
> > > could be passed to the application. The application might 
> incorrectly> > assume that the element had been signed and 
> verified. It is better for
> > the
> > > security layer to reject such messages.
> > > 
> > > > /paulc
> > > >
> > > > Paul Cotton, Microsoft Canada
> > > > 17 Eleanor Drive, Nepean, Ontario K2E 6A3
> > > > Tel: (613) 225-5445 Fax: (425) 936-7329
> > > > mailto:pcotton@microsoft.com
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Manveen Kaur [mailto:Manveen.Kaur@Sun.COM]
> > > > > Sent: April 26, 2005 8:05 PM
> > > > > To: wss-comment@lists.oasis-open.org
> > > > > Subject: [wss-comment] Id clash case
> > > > >
> > > > > Hi,
> > > > >
> > > > > WSS specification [1] Lines 405-408 state-
> > > > >
> > > > > "Two wsu:Id attributes within an XML document MUST NOT have 
> the> same
> > > > > value. Implementations MAY rely on XML Schema validation to
> > provide
> > > > > rudimentary enforcement for intra-document uniqueness. 
> However,> > > > applications SHOULD NOT rely on schema validation 
> alone to enforce
> > > > > uniqueness."
> > > > >
> > > > > It is not clearly stated what should happen when a wsu:Id or
> > another
> > > > > form of ID do clash?
> > > > >
> > > > > DOM defines behaviour as undefined and shorthand xpointer 
> says it
> > > would
> > > > > use the first element found in that Id.
> > > > >
> > > > > What is the implementation's expected behaviour in this case?
> > > > >
> > > > > Thanks,
> > > > > --Manveen
> > > > >
> > > > > [1]
> > > > >
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-
> message-
> > > > > security-1.0.pdf
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > ------------------------------------------------------------------
> ---
> > > > > To unsubscribe, e-mail:
> > wss-comment-unsubscribe@lists.oasis-open.org
> > > > > For additional commands, e-mail:
> > wss-comment-help@lists.oasis-open.org
> > > >
> > 
> > ------------------------------------------------------------------
> ---
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  You may a link to this group and all your 
> TCs in 
> OASIS
> > at:
> > https://www.oasis-
> open.org/apps/org/workgroup/portal/my_workgroups.php 
> > 
> 
>