Re: [saml-dev] empty xml:lang="" in SAML Metadata

["Cantor, Scott" <cantor.2@osu.edu>]

On 9/26/19, 8:53 AM, "Peter Schober" <peter.schober@univie.ac.at> wrote:

> For xmllint and XmlSecTool those errors were reported when using older
> XSD schema files -- I have been using the ones curated and edited by
> the UKfederation[1] for a while now -- but also from the Shibboleth SP
> (due to its manual verification, I think).

It's the manual step, because the XML.xsd file in the software tree I'm looking at has an allowance for empty string. Absent other considerations, I would consider that a bug in the SP.

That assumes it's actually using that schema. This could be baked into Xerces too...

Using the XML (as in *the* XML) schema itself is one of those precarious decisions because schema evolution and management of namespaces was and is botched by pretty much everybody involved. They have made changes to a schema for a namespace, and that's effectively not possible in most cases, it's like breaking an API without versioning.

So to the extent that that schema did or didn't change over time, it probably changed improperly. But I don't know that the SP ever had a version of that schema that was different from now, nor do I know whether the version is in any formal sense associated with particular XML specification versions.
 
> which then seems to have turned around and decided the opposite was the case:
> https://lists.geant.org/sympa/arc/edugain-discuss/2019-09/msg00057.html

Well, I don't know if there was a real change to the xml:lang rules or not. I guess maybe all that empty string to override the parent element stuff came in at once, though. I really would have to look.

> Is the formal reference in SAML 2.0 Core to XML 1.0 2nd ed. the
> sole relevant data point to consider?

Well, if one wants to get technical about it...sure. But this is where the reality doesn't match the paper. You have to use XML code as it exists, not frozen in time based on a spec. But without a process to update the standard...

Ultimately, it's either gonna rot, or we have to consider updating all the key references as part of a minimal 2.1, I suppose.

> (I recall statements about empty strings or elements generally not
> being allowed in SAML but can't easily find any references to that and
> clearly the spec itself allows for e.g. empty attributes, however
> misguided their actual use may be.)

It's in the intro material on strings. And yes, technically without a statement to the contrary, it is strictly correct to say that it would disallow xml:lang=""

It would be the sort of thing that would motivate me to say that my software might be correct but not usefully correct.

*However*, I would have to review the meaning of it. AFAIK, an empty lang does not mean "the default", it just means "unset the existing value". That would leave a bare element with an empty xml:lang with no lang. And that is not generally allowed by the relevant specs, at least not in spirit.

So that may complicate things. If I'm wrong and it does mean "the default", then that's a plausible argument to allow it. I think that is a first order question to answer.

-- Scott