(possible) break in xml-enc semantics with inherited namespaces. #13
Description
First off, I'm not 100% sure about this one. I've read the xml-enc spec, but all the places I could see this issue directly addressed were in sections explicitly called out as non-normative. Still, my best inference is that the non-normative portions were the algorithms being described - the semantics reflected should be valid.
That said, I think encrypted blocks are not handling inherited namespaces properly. I believe that if an EncryptedData element decrypts to xml content using namespaces that aren't defined within the decrypted content, the spec says to use namespaces in the current parsing context at the point the EncryptedData element was found.
This came up when generating documents that declared all their namespaces at the top level, then contained an encrypted element which contained a signature. The different data structure used to construct the encrypted element does not contain the namespace context for where it is being inserted in the parent document. This broke the signature, because the normalization algorithm treated the namespace identifiers as unknown, rather than as references to the namespaces declared in the root.
I worked around this by re-specifying the namespaces in the encrypted element. But my reading of the spec suggests that isn't strictly necessary, and the way I wanted to do it should work.
Is my reading right? If so, is this a thing that could be added without a ridiculous amount of work?