The XML Security standards need a data model for and means of expressing operations on XML, particularly extraction of subdocuments. This need could entail modeling parsed XML and sending input to an application from an external encoding or XML that an application constructs internally and has not yet output. For example, an XML document might represent a user form. Assume that a user fills in several fields that XML elements represent and then wants to digitally sign those fields. As Chapter 10 describes in detail, the signature object needs some method of specifying or pointing to these fields. XPath provides the necessary data model and method.
The XPath data model was chosen for two reasons:
Given these requirements and this view of the best XML data model, it is not surprising that XML canonicalization is also based on XPath.
Because XML canonicalization, signatures, and encryption all make use of XPath, at least for expository purposes, a general understanding of XPath is important to understanding these XML security standards. See Figure 6-1. Figure 6-1. Some dependencies on xpathIf you are already familiar with XPath, you can skip this chapter. If you want more details on XPath, see the XPath Recommendation [XPath]. It assumes that XPath is operating on a node-set produced from an entire document. In XML Security, however, an XPath node-set often exists for a document subset. The use of XPath to describe some operations in XML Security does not imply that the application must implement the full capabilities of XPath. Rather, an application typically needs only a subset of these features. Any method that produces the same results is considered acceptable. |