RE: [wss] RE: [wss-comment] Id clash case

[Michael McIntosh <mikemci@us.ibm.com>]

"Paul Cotton" <pcotton@microsoft.com> wrote on 04/27/2005 10:08:19 AM:

> Manveen originally asked:
> > It is not clearly stated what should happen when a wsu:Id or another 
> > form of ID do clash?
> 
> Michael McIntosh stated:
> > I think WS-Security should (as it does) make it clear that the
> presence of
> > multiple IDs with the same value should not be allowed.
> 
> WSS 1.0 currently states:
> > "Two wsu:Id attributes within an XML document MUST NOT have the same
> > value.
> 
> As Manveen has pointed out, I do not think that WS-Security clearly
> handles the case where a wsu:id attribute has the same value as another
> id attribute that is NOT from the wsu namespace e.g. xml:id. 
> 
> Mike: Do you want to extend the WSS uniqueness constraint to cover the
> case where another id attribute (not in the wsu namespace) has the same
> value as a wsu:id attribute? 

I think that is what was intended - the addtion of other forms of ID came 
late and it looks like this case was not properly covered in the added 
text.

> 
> /paulc
> 
> Paul Cotton, Microsoft Canada 
> 17 Eleanor Drive, Nepean, Ontario K2E 6A3 
> Tel: (613) 225-5445 Fax: (425) 936-7329 
> mailto:pcotton@microsoft.com
> 
> 
> 
> > -----Original Message-----
> > From: Michael McIntosh [mailto:mikemci@us.ibm.com]
> > Sent: April 27, 2005 8:05 AM
> > To: Paul Cotton
> > Cc: Manveen Kaur; wss@lists.oasis-open.org
> > Subject: Re: [wss] RE: [wss-comment] Id clash case
> > 
> > "Paul Cotton" <pcotton@microsoft.com> wrote on 04/26/2005 08:32:10 PM:
> > 
> > > ? moving discussion to the TC email list:
> > >
> > > Another source of information on the processing of id attributes is
> > > the new W3C xml:id WD:
> > > http://www.w3.org/TR/xml-id/
> > >
> > > Note that even this specification does NOT enforce the uniqueness
> > > constraint with a MUST:
> > > ?An xml:id processor should assure that the following constraints
> hold:
> > > *         The values of all xml:id attributes and all attributes of
> > > type ?ID? within a document are unique.?
> > > And to make the puzzle complete even when the above constraint is
> > > upheld by the xml:id processor then the error is non-fatal:
> > > [Definition: An xml:id error is a non-fatal error that occurs when
> an
> > > xml:id processor finds that a document has violated the constraints
> > > of this specification.]
> > > So it appears to me that the semantics of what happens for duplicate
> > > ids is determined at the application level.
> > 
> > I think WS-Security should (as it does) make it clear that the
> presence of
> > multiple IDs with the same value should not be allowed. One of the
> > elements with the same ID value could be signed and verified by the
> > security layer, while a second unsigned element with the same ID value
> > could be passed to the application. The application might incorrectly
> > assume that the element had been signed and verified. It is better for
> the
> > security layer to reject such messages.
> > 
> > > /paulc
> > >
> > > Paul Cotton, Microsoft Canada
> > > 17 Eleanor Drive, Nepean, Ontario K2E 6A3
> > > Tel: (613) 225-5445 Fax: (425) 936-7329
> > > mailto:pcotton@microsoft.com
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Manveen Kaur [mailto:Manveen.Kaur@Sun.COM]
> > > > Sent: April 26, 2005 8:05 PM
> > > > To: wss-comment@lists.oasis-open.org
> > > > Subject: [wss-comment] Id clash case
> > > >
> > > > Hi,
> > > >
> > > > WSS specification [1] Lines 405-408 state-
> > > >
> > > > "Two wsu:Id attributes within an XML document MUST NOT have the
> same
> > > > value. Implementations MAY rely on XML Schema validation to
> provide
> > > > rudimentary enforcement for intra-document uniqueness. However,
> > > > applications SHOULD NOT rely on schema validation alone to enforce
> > > > uniqueness."
> > > >
> > > > It is not clearly stated what should happen when a wsu:Id or
> another
> > > > form of ID do clash?
> > > >
> > > > DOM defines behaviour as undefined and shorthand xpointer says it
> > would
> > > > use the first element found in that Id.
> > > >
> > > > What is the implementation's expected behaviour in this case?
> > > >
> > > > Thanks,
> > > > --Manveen
> > > >
> > > > [1]
> > > >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-
> > > > security-1.0.pdf
> > > >
> > > >
> > > >
> > > >
> > > >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> wss-comment-unsubscribe@lists.oasis-open.org
> > > > For additional commands, e-mail:
> wss-comment-help@lists.oasis-open.org
> > >
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>