[1485] in WWW Security List Archive
Comments on Security Extensions For HTML
daemon@ATHENA.MIT.EDU (Glenn Adams)
Thu Feb 15 15:59:56 1996
From: Glenn Adams <glenn@spyglass.com>
Date: Thu, 15 Feb 96 11:00:19 -0500
To: ekr@terisa.com, ams@terisa.com
Cc: html-wg@w3.org, www-security@ns2.rutgers.edu,
Christian Mogensen
<mogens@mjosa.stanford.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
I have some comments on your recent I-D:
1. DN attribute - you should be specific about which "SGML quoting
convention" you prefer if any, e.g., SGML provides an alternate literal
delimiter (lita) which permits embedding the standard delimiter
(lit) in the string directly. lita is '\'' and lit is '"'. In
addition, HTML specifies the standard entity 'quot' for use as
an entity reference; namely """. In addition, one can use
a numeric character reference: """.
Also, you may wish to specify the behavior regarding non-conformant
parsers which interpret '>' in an attribute value literal as a
closing delimiter for both the literal and the tag [e.g., Netscape 1.1].
If DN can contain '>' in its value, then perhaps you want to recommend
using ">" instead.
The same comments apply to NONCE and CRYPTOPS.
2. CRYPTOPS attribute - you mention using quoting "to protect the line
break information". You should be aware that the standard SGML semantics
for interpreting attribute value literals involves a process of white
space normalization as follows [see ISO 8879, clause 7.9.3]:
"An attribute value literal is interpreted as an attribute value
by replacing references within it, ignoring Ee and RS, and replacing
RE or SEPCHAR with a SPACE."
Since RE (record end, i.e., newline) is replaced with SPACE *within* the
literal, you can't depend on line break information being retained unless
you use some other syntactic mechanism.
3. CERTS element - you need to specify its content model. Is it #PCDATA or
RCDATA or CDATA or what?
4. CRYPTOPS element - you need to specify its content model. See above.
Also, you specify the use of a NAME attribute on CRYPTOPS to serve as
an identifier. You should instead specify this attribute as "ID" instead
of "NAME". The use of ID is more conformant with SGML conventions and
permits a validating parser to validate the existence and uniqueness of
ids. In this case, you should not specify that the value of the attribute
starts with "#", since an ID must be a NAME. One nice thing about using
and ID is that you don't have to remember to quote it; whereas, using a
CDATA attribute with '#' always requires quoting.
5. When specifying new elements, you need to specify the context in which
those elements can appear. For example, do you intend for CERTS and
CRYPTOPS to only appear inside of HEAD. If so, then you should specify
this and specify a new value for the %head.content; parameter entity
as found in RFC1866 which accommodates this change.
6. You should specify contact information about yourselves as authors in
the RFC: address, email, etc. I had to track down your email addresses
from Lycos.
Regards,
Glenn Adams
