[OASIS Issue Tracker] Created: (SECURITY-22) Schema in sstc-saml-holder-of-key-browser-sso is invalid.

[OASIS Issues Tracker <workgroup_mailer@lists.oasis-open.org>]

Schema in sstc-saml-holder-of-key-browser-sso is invalid.
---------------------------------------------------------

                 Key: SECURITY-22
                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-22
             Project: OASIS Security Services (SAML) TC
          Issue Type: Bug
          Components: HoK SSO Profile
    Affects Versions: 1.0
            Reporter: Scott Cantor


Reported by Ian Young:

Here are a couple of things I turned up by opening the sstc-saml-holder-of-key-browser-sso schema in an XML-aware editor.  They are both in the only substantive line in the schema:

<xs:attribute name="ProtocolBinding" type="anyURI" use="optional"/>

Problem 1 is that the type="anyURI" refers to a type "anyURI" in the default namespace, which isn't defined.  It needs to be "xs:anyURI" to be valid.  I think this one may have become invalid due to a change of namespace conventions at some point during the schema's development.

Problem 2 is that the "use" attribute must not appear on a global declaration (i.e., one whose parent is <xs:schema>; it just makes no sense there as occurrence constraints only make sense in particular contexts.)  I'm finding it quite hard to find the normative language to support this, but there are random mentions of this restriction in various places in XML Schema documents.

This line appears in the spec, so I guess these issues apply to the spec as well as just the schema file.

This is what I've changed my local copy of the schema to:

<xs:attribute name="ProtocolBinding" type="xs:anyURI"/>




-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira