DTD's are verboten with SOAP. thanks, dims
On 5/24/07, Da Cruz Pinto, Juan M <[EMAIL PROTECTED]> wrote:
Scott, Thanks for your answer! I know that the c14n specs say that if a DTD is present, and there are default attributes for a given element, these attributes must be added before canonicalizing the document. Anyway, I wouldn't expect to see a SOAP message with an attached DTD, but I'll check this. Thanks! --Marcelo -----Original Message----- From: Scott Cantor [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 23, 2007 12:29 To: security-dev@xml.apache.org Subject: RE: c14n & PSVI > - Does the library consider PSVI (Post-Schema Validation Infoset) > information, or just the plain DOM (as an input for c14n)? C14n is defined around the basic XML spec itself, it's not really infoset or DOM-based IMHO. > - How does c14n deal with default attributes as a result of > previous schema validation? C14n does not know anything about schema validation and cannot include default attributes, at least not XSD stuff. I think it may operate in awareness of DTDs, not sure about that. > o My guess is that c14n uses just what it gets; it does not force > you to apply schema validation before c14n, but again... I'm not sure It not only doesn't force it, it's separate from it. > o In my experience with WS-Security, usually you don't do any > schema validation before signature verification, but I'm not sure how does > it work for plain XML Signature. One reason people don't do it is that it's hard to do safely and avoid corrupting the signature because there are no standard transforms that compensate for schema validation. I believe IBM proposed one at some point but it never went anywhere because people just stopped validating. -- Scott
-- Davanum Srinivas :: http://davanum.wordpress.com
