Shibboleth Developers

["Scott Cantor" <>]

Daniel F Crisman wrote on 2009-10-23:
> Yes, I am validating with xmllint from libxml2.
> 
> processContents="lax" does not mean skip the contents, it means "If the
> item has a uniquely determined declaration available, it must be valid
> with respect to that definition, that is, validate if you can, don't
> worry if you can't." [1].  So as the <Path> declaration is a global the
> validator has it available and should validate against it.

Yes, but "lax" applies to the child elements of the open content model, in
this case the CredentialResolver element. That means the Certificate element
is skipped, and in every tool I've used, that means any of its content is
also skipped as a result.

If that's a bug, it's a bug in everything I've ever tried, including some of
the very well known benchmark tools, which is interesting. Of course, not
having tried anything very recently, it's possible those bugs have been
fixed. Schema lookup is so badly broken in tools that I don't generally even
try editors anymore, so my information's easily out of date.

That assumes you're reading the spec and can clearly see that it means what
you think. That spec is unreadable, so that's a tough claim. ;-) It's not
beyond the pale that it's libxml2 with the bug, but I'm not claiming that
yet.

> For my personal edification, why are you against local elements?

Because they create ambiguities within a schema where the same element
within a namespace ends up with two different content models, and I don't
buy that as a good thing.

I regret the fact that I wasn't consistent about it, and since I wasn't, I'm
inclined to move more things local simply because I did in some cases
already. I also recognize that it causes issues with the plugin content,
which I didn't run into until very recently. Using "skip" may be the
solution, I don't know.

It's also likely that my preferences for schema design don't apply in the
same way to something like a config file. My attitudes were shaped more by
working on specs.

So...

Strictly speaking, Xerces is the only validator that I can treat as
normative. I'm willing to accept an enhancement request to clean things up,
but it's not a bug that I feel urgency to fix because it does require a lot
of testing and checking that I have to reserve a lot of time for. If I can
reason about the schema change, that helps, but breaking compatibility is
simply not acceptable at this stage, so I have to be 100% sure, not mostly
sure.
 
Of course, if you're willing to undertake that testing against all the
myriad older configs around, I'm happy to let you. ;-) But merely patching
the schema is the least of the work.

-- Scott