OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Issue 196: QNames

> >I think qnames make implementation harder (they really are a layering
> >violation:), and the security/c14n intricacies are very difficult to
> >properly specify, let alone implement.
>

> I don't understand you comments, are you saying that you can't implement
> qnames ? Also can you point me to where its stated that its a "layering
> violation".

No, I can implement qnames, and have.  That's how I know they're a layering
violation. :)  I can't think of any other element or attribute content
that is affected by to element or attribute information (maybe xml:space, but
that's not quite the same).  In the Infoset view, to get the value of
a qname, you have to look at the namespace bindings that are in-scope in
the containing element.  You can't look at just "the value".
In a DOM, you can call a method but basically you have to walk up
the tree.  A SAX-based model would require the callbacks to maintain
a stack of in-scope bindings on their own.

Again, when looking at a qname you have to look at the namespace bindings
that are in-scope at the place where the qname appears.  At no other
time when looking at content do you have to know the context.  Hence,
layering violation. :)

Qnames as values are inconsistent.  For example, if myattr is a qname:
        <foo xmlns="http://www.example.org/q"; myattr="frag"/>
foo is in the default namespace, the name myattr is not in any namespace,
but frag is in the example.org namespace.  This rewrite makes it
more explicit:
        <Z:foo xmlns:Z="http://www.example.org/q"; myattr="Z:frag"/>
That's kind gross, don't you think? :)

> >The sooner we move to pure-URI the better off, and more secure, we'll all
> >be.
>
> Elaborate please.

I think the above -- and heck, the whole TAG qname document -- shows
why avoiding them makes us "better off."  As for the security implications,
Hal and Merlin have already made postings that are far better than any
I could do.  Hopefully someone will followup with links into the
archives for those postings.

        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]