Re: [security-services] RE: Comments on XML signature guidelines draft

["Eve L. Maler" <eve.maler@sun.com>]

(Sorry I've been silent for so long; was occupied with other OASIS TC 
work for a couple of weeks...)

It's correct that the XML attribute's type is what matters to the id() 
function in XPath and to the XPointer #id shorthand pointer.  In XPath's 
case, the type must be XML's original ID type (expressed as xs:ID in 
schemas).  In XPointer's case, the latest public draft of the shorthand 
pointer syntax requires xs:ID or a derivation thereof:

   http://www.w3.org/TR/xptr-framework/#b2b1b1b2b4

I wish I had caught this problem when we originally derived saml:IDType 
from xs:string!

Our semantic for IDType already includes uniqueness, although in a 
squishier fashion than xs:ID does (where it must be unique only within 
the scope of a single XML document), so I think it should be safe to 
change (either to xs:ID or to a SAML derivation of it; the former is 
more powerful).  And it's backwards-compatible, since xs:IDs adhere to 
stricter semantic and syntactic rules than xs:string does.

	Eve

p.s. If any of you are in the habit of calling me on my cell phone, 
please note my new cell number in my .sig below.

Scott Cantor wrote:
>>Not the attribute itself must be named "ID", but it must be 
>>of type "xsd:ID", which is a predefined type of the XML schema. 
>>So it would be sufficient to type "AssertionID", "RequestID" 
>>and "ResponseID" not with the self-made "IDType" in the SAML 
>>Assertion schema, but to the standard ID type from XML schema.
> 
> 
> It's possible, but while there may not be an obvious use case for
> putting the same assertion more than once in a document, something about
> that makes me a little uncomfortable...
> 
> -- Scott

-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                     NEW!!! cell +1 781 354 9441
Web Technologies and Standards               eve.maler @ sun.com