[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [dss] Public comment: OASIS-DSS Exclusive Canonicalization and ValidationErrors(Unique Particle Attribution)
Dear all,
First I have to apologize to follow up on myself, but I'd like to add a few points to my last public comment (21.03.2005) after I had a short email exchange with Martin Centner. FYI Martin Centner wrote: Konrad Lanz wrote:As indicated by Martin a solution to this problem exist it can be found in namespaces for xml 1.1 in section namespace scoping: > [...] The attribute value in a namespace declaration for a prefix MAY be empty. > This has the effect, within the scope of the declaration, of removing any association > of the prefix with a namespace name.[...] Thus enabling to remove namespaces from the scope for particular elements and their children hence avoiding their declaration through canonical xml. If xml 1.0 should be supported by dss this mechanism is only available for the default namespace xmlns as indicated in namespaces in xml. However there exists a workaround to free a node from its namespace context for xml 1.0 as well. If DOM is used to process the xml the importNode method can be used to free a node from it's namespace context. This however requires the relevant xml data (element Node) to have a parent node from whose parent node's context it can be separated by importing into a new document. This for example works already well for <dss:InputDocuments> as they are enclosed by <dss:XMLData> tags but not for <ds:Signature> as it is a direct child of <dss:SignatureObject>. Hence I'd suggest something similar to what <dss:XMLData> is for xml content for <ds:Signature>. See the suggested <dss:XMLSignature> in SchemaSnippet1 at the end of this email. Analogous modifications could also be made for <ds:Transforms> and <ds:KeyInfo>. This would also enable a solution to the problem with the "Unique Particle Attribution" constraint mentioned in my last posting. Then <xs:any namespace="##other" processContents="lax"/> could be used instead of <xs:any processContents="lax"/> and all newly defined <xs:elements> in profiles that will be matched by the <xs:any> wild cards would then either lie outside the dss namespace or could be defined like in the attached schema file. There I defined <xs:complexType>s for SignRequestOptionalInputs, SignResponseOptionalOutputs, VerifyRequestOptionalInputs and SignResponseOptionalOutputs. Best regards Konrad Lanz P.S.: I also added <xs:attribute name="ObjId" type="xs:string" use="optional"/> in <dss:EnvelopingSignature> which seems to have gone missing as Antonio has mentioned. See Examle1 at the end of this email: ########################### SchemaSnippet1 Begin ########################### <xs:element name="SignatureObject"> <xs:complexType> <xs:sequence> <xs:choice> <!-- <xs:element ref="ds:Signature"/> --> <xs:element ref="dss:XMLSignature"/> <xs:element ref="dss:Timestamp"/> <xs:element ref="dss:Base64Signature"/> <xs:element ref="dss:SignaturePtr"/> <xs:any namespace="##other" processContents="lax"/> </xs:choice> <xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="XMLSignature"> <xs:complexType> <xs:sequence> <xs:element ref="ds:Signature"/> </xs:sequence> </xs:complexType> </xs:element> ########################### SchemaSnippet1 End ########################### |
<?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30.xsd" xmlns:dss="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> <xs:import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-protocol-1.1.xsd"/> <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/> <!-- COMMON PROTOCOL STRUCTURES --> <xs:complexType name="DSSAnyType"> <xs:sequence> <xs:any processContents="lax" maxOccurs ="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="InternationalStringType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute ref="xml:lang"/> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:element name="InputDocuments"> <xs:complexType> <xs:sequence> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element ref="dss:Document"/> <xs:element ref="dss:DocumentHash"/> <xs:any namespace="##other" processContents="lax"/> </xs:choice> </xs:sequence> </xs:complexType> </xs:element> <xs:complexType name="DocumentBaseType" abstract="true"> <xs:sequence> <xs:element ref="ds:Transforms" minOccurs="0"/> <xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> <xs:attribute name="RefURI" type="xs:anyURI" use="optional"/> <xs:attribute name="RefType" type="xs:anyURI" use="optional"/> </xs:complexType> <xs:element name="Document"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:DocumentBaseType"> <xs:choice> <xs:element ref="dss:XMLData"/> <xs:element ref="dss:Base64Data"/> </xs:choice> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="XMLData" type="dss:DSSAnyType"/> <xs:element name="Base64Data"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:base64Binary"> <xs:attribute name="MimeType" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="DocumentHash"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:DocumentBaseType"> <xs:sequence> <xs:element ref="ds:DigestMethod"/> <xs:element ref="ds:DigestValue"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="SignatureObject"> <xs:complexType> <xs:sequence> <xs:choice> <!-- <xs:element ref="ds:Signature"/> --> <xs:element ref="dss:XMLSignature"/> <xs:element ref="dss:Timestamp"/> <xs:element ref="dss:Base64Signature"/> <xs:element ref="dss:SignaturePtr"/> <xs:any namespace="##other" processContents="lax"/> </xs:choice> <xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="XMLSignature"> <xs:complexType> <xs:sequence> <xs:element ref="ds:Signature"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Base64Signature"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:base64Binary"> <xs:attribute name="Type" type="xs:anyURI"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="SignaturePtr"> <xs:complexType> <xs:attribute name="WhichDocument" type="xs:IDREF"/> <xs:attribute name="XPath" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="Result"> <xs:complexType> <xs:sequence> <xs:element name="ResultMajor" type="xs:anyURI"/> <xs:element name="ResultMinor" type="xs:anyURI" minOccurs="0"/> <xs:element name="ResultMessage" type="dss:InternationalStringType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- TODO get rid of this --> <xs:element name="OptionalInputs" type="dss:DSSAnyType"/> <!-- TODO get rid of this --> <xs:element name="OptionalOutputs" type="dss:DSSAnyType"/> <xs:element name="ServicePolicy" type="xs:anyURI"/> <xs:element name="ClaimedIdentity"> <xs:complexType> <xs:sequence> <xs:element name="Name" type="saml:NameIdentifierType"/> <xs:element name="SupportingInfo" type="dss:DSSAnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Language" type="xs:language"/> <xs:element name="AdditionalProfile" type="xs:anyURI"/> <!-- COMMON PROTOCOL STRUCTURES --> <!-- PROTOCOL MESSAGES BEGIN --> <xs:element name="SignRequest"> <xs:complexType> <xs:sequence> <xs:element name="OptionalInputs" type="dss:SignRequestOptionalInputs" minOccurs="0"/> <xs:element ref="dss:InputDocuments"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="SignResponse"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Result"/> <xs:element name="OptionalOutputs" type="dss:SignResponseOptionalOutputs" minOccurs="0"/> <xs:element ref="dss:SignatureObject" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <xs:element name="VerifyRequest"> <xs:complexType> <xs:sequence> <xs:element name="OptionalInputs" type="dss:VerifyRequestOptionalInputs" minOccurs="0"/> <xs:element ref="dss:SignatureObject" minOccurs="0"/> <xs:element ref="dss:InputDocuments" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="VerifyResponse"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Result"/> <xs:element name="OptionalOutputs" type="dss:VerifyResponseOptionalOutputs" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <!-- PROTOCOL MESSAGES END --> <!-- SIGNREQUEST OPTIONAL INPUTS START --> <!-- SignRequestOptionalInputs Type START --> <xs:complexType name="SignRequestOptionalInputs"> <xs:sequence> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element name="SignatureType" type="xs:anyURI"/> <xs:element name="AddTimestamp"> <xs:complexType> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="IntendedAudience"> <xs:complexType> <xs:sequence> <xs:element name="Recipient" type="saml:NameIdentifierType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="KeySelector"> <xs:complexType> <xs:choice> <!-- <xs:element ref="ds:KeyInfo"/> --> <xs:element ref="dss:XMLKeyInfo"/> <xs:any namespace="##other" processContents="lax"/> </xs:choice> </xs:complexType> </xs:element> <xs:element name="SignedReferences"> <xs:complexType> <xs:sequence> <xs:element ref="dss:SignedReference" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Properties"> <xs:complexType> <xs:sequence> <xs:element name="SignedProperties" type="dss:PropertiesType" minOccurs="0"/> <xs:element name="UnsignedProperties" type="dss:PropertiesType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SignaturePlacement"> <xs:complexType> <xs:choice> <xs:element name="XPathAfter" type="xs:string"/> <xs:element name="XPathFirstChildOf" type="xs:string"/> </xs:choice> <xs:attribute name="WhichDocument" type="xs:IDREF"/> </xs:complexType> </xs:element> <xs:element name="EnvelopingSignature"> <xs:complexType> <xs:attribute name="WhichDocument" type="xs:IDREF"/> <xs:attribute name="ObjId" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:any namespace="##other" processContents="lax"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- SignRequestOptionalInputs Type END --> <xs:element name="Property"> <xs:complexType> <xs:sequence> <xs:element name="Identifier" type="xs:anyURI"/> <xs:element name="Value" type="dss:DSSAnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:complexType name="PropertiesType"> <xs:sequence> <xs:element ref="dss:Property" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:element name="XMLKeyInfo"> <xs:complexType> <xs:sequence> <xs:element ref="ds:KeyInfo"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SignedReference"> <xs:complexType> <xs:sequence> <xs:element ref="ds:Transforms" minOccurs="0"/> </xs:sequence> <xs:attribute name="WhichDocument" type="xs:IDREF" use="required"/> <xs:attribute name="RefId" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- SIGNREQUEST OPTIONAL INPUTS END --> <!-- SIGNRESPONSE OPTIONAL OUTPUTS START --> <xs:complexType name="SignResponseOptionalOutputs"> <xs:sequence> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element name="DocumentWithSignature"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Document"/> </xs:sequence> </xs:complexType> </xs:element> <xs:any namespace="##other" processContents="lax"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- SIGNRESPONSE OPTIONAL OUTPUTS END --> <!-- VERIFYREQUEST OPTIONAL INPUTS START --> <xs:complexType name="VerifyRequestOptionalInputs"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="VerifyManifests"/> <xs:element name="VerificationTime" type="xs:dateTime"/> <xs:element name="AdditionalKeyInfo"> <xs:complexType> <xs:sequence> <xs:element ref="ds:KeyInfo"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ReturnProcessingDetails"/> <xs:element name="ReturnSigningTime"/> <xs:element name="ReturnTimestampTime"/> <xs:element name="ReturnSignerIdentity"/> <xs:element name="ReturnUpdatedSignature"> <xs:complexType> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="ReturnTransformedDocument"> <xs:complexType> <xs:attribute name="WhichReference" type="xs:integer" use="required"/> </xs:complexType> </xs:element> <xs:any namespace="##other" processContents="lax"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- VERIFYREQUEST OPTIONAL INPUTS END --> <!-- VERIFYRESPONSE OPTIONAL OUTPUTS START --> <!-- VerifyResponseOptionalOutputs START--> <xs:complexType name="VerifyResponseOptionalOutputs"> <xs:sequence> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element name="ProcessingDetails"> <xs:complexType> <xs:sequence> <xs:element name="ValidDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="IndeterminateDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="InvalidDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SigningTime"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:dateTime"> <xs:attribute name="ThirdPartyTimestamp" type="xs:boolean" use="required"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="TimestampTime" type="xs:dateTime"/> <xs:element name="SignerIdentity" type="saml:NameIdentifierType"/> <xs:element name="UpdatedSignature"> <xs:complexType> <xs:sequence> <xs:element ref="dss:SignatureObject"/> </xs:sequence> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="TransformedDocument"> <xs:complexType> <xs:sequence> <xs:element ref="dss:XMLData"/> </xs:sequence> <xs:attribute name="WhichReference" type="xs:integer" use="required"/> </xs:complexType> </xs:element> <xs:any namespace="##other" processContents="lax"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- VerifyResponseOptionalOutputs END --> <xs:complexType name="DetailType"> <xs:sequence> <xs:element name="Code" type="xs:anyURI" minOccurs="0"/> <xs:element name="Message" type="dss:InternationalStringType" minOccurs="0"/> <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs ="unbounded"/> </xs:sequence> <xs:attribute name="Type" type="xs:anyURI" use="required"/> </xs:complexType> <!-- VERIFYRESPONSE OPTIONAL OUTPUTS END --> <!-- TIMESTAMP BEGIN --> <xs:element name="Timestamp"> <xs:complexType> <xs:choice> <!-- <xs:element ref="ds:Signature"/> --> <xs:element ref="dss:XMLSignature"/> <xs:element name="RFC3161TimeStampToken" type="xs:base64Binary"/> <xs:any namespace="##other" processContents="lax"/> </xs:choice> </xs:complexType> </xs:element> <xs:element name="TstInfo"> <xs:complexType> <xs:sequence> <xs:element name="SerialNumber" type="xs:integer"/> <xs:element name="CreationTime" type="xs:dateTime"/> <xs:element name="Policy" type="xs:anyURI" minOccurs="0"/> <xs:element name="ErrorBound" type="xs:duration" minOccurs="0"/> <xs:element name="Ordered" type="xs:boolean" default="false" minOccurs="0"/> <xs:element name="TSA" type="saml:NameIdentifierType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- TIMESTAMP END --> <!-- REQUESTER IDENTITY BEGIN --> <xs:element name="RequesterIdentity"> <xs:complexType> <xs:sequence> <xs:element name="Name" type="saml:NameIdentifierType"/> <xs:element name="SupportingInfo" type="dss:DSSAnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- REQUESTER IDENTITY END --> </xs:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]