Milan,
Anything can be an Id, but it needs to be defined as such within the DTD/Schema (type=ID). In the XML DSIG spec, anything that has an type="ID" attribute is called "Id", so references, objects, manifests etc should all have attributes called Id.
But if the file is parsed in non-validating mode, then then the library needs to make a few assumptions, and so searches for any attribute called Id (or in the case of the Java library, Id or id). There has been some discussion on the list in the past as to whether this is correct. I've always been comfortable for validating a signature, as either the assumption is correct (and the signature either validates or failes because the reference has changed) or the assumption is wrong (in which case the reference will fail because it isn't getting the right data).
For signing, it's a bit trickier. You could really argue that neither library should be signing anything if it isn't a formal Id.
I agree with that. I don't think the library should be guessing what an ID is in the signing case.
DOM L3 has a new method Element.setIdAttributeNS that allows you to register an Element's attribute as type ID. JSR 105 also has an equivalent method DOMIdMap.setIdAttributeNS. These methods are useful for registering IDs in the signing case (so the library doesn't have to guess) and in the validating case, when you are using a non-validating parser.
--Sean
Don't know if that helps, or if I've just made things worse.
Cheers, Berin
Erwin van der Koogh wrote:
[snip example..]Apache Java libraries allow URI "Id" attribute to be "Id" or "id". Apache C++ libraries allow only "Id". W3C recomends "Id". What is right?
Was this bug fixed?
I am not entirely clear what you think is a bug?
If the W3C RECOMENDS "Id" (and I haven't read the spec lately, so I am not sure) than there's no clear definition of what should happen. The Apache library apparently thinks that "id" is also correct, which is proper behaviour. That the C++ library isn't as liberal as the Java library might be inconvient, but there's nothing to force the acceptance of "id" in the spec.
I agree it might be a little confusing that both do different things, but I am fairly certain that they both do the right thing.
Let me know if you think this is not the case :)
Erwin
