Michael Brauer comments: "While I really would like to be able to use the XSD schema here (or have a normative RNG schema), we can only use it if we switch to NVDL. That is something we considered to do for ODF-Next. "

I don't understand the linkage with NVDL as a prerequisite for specifying a single-file schema. I can't see how this has any bearing on whether we use an RNG schema for ODF DSIG or an XML Schema for ODF DSIG. The problem seems to be invariant with respect to NVDL.

My understanding: At the moment all we have schemas for is at most individual XML documents and there is nothing normative (in schema terms) beyond that. As well as I can tell (http://nvdl.org/), NVDL is about having a scripting language for certain kind of validations. I don't see how that presents a constraint on ODF specification, anymore than would a desire by developers or others to use some high-powered version of Schematron or the validation effort that Alex Brown is apparently carrying out at SC34.

My confusion: I don't see how the existence of independent, schema-driven mechanical validators for instances is a condition on ODF 1.2 specifications. I also don't see how XML Schema instance validation is prevented if ODF DSIG is expressed in XML Schema, provided that the XML DSIG Schema can be invoked properly in an instance of ODF DSIG. (I thought using the namespace was sufficient, but I may be oversimplifying.)

Dennis: The root element of a signature is dsig:document-signatures. This is an element that ODF defines. ODF uses Relax-NG as schema language.

The child elements of that element are ds:Signature. These elements are defined by the XML-DSig specification. It uses XSD as schema language.

That means, we indeed have to invoke XSD from within Relax-NG. That is not possible. There is no way to invoke an XSD schema from within an RNG schema. Namespaces don't do that.

What one needs is a schema language on top of RNG and XSD, that allows to combine the two based on namespaces. That's exactly what NVDL does.

Michael, my proposal was to use XML Schema for the <dsig:document-signatures> element just so that we could appeal to the XML-DSig specification for the actual signature element, <ds:SIgnature>. <dsig:document-signatures> is rather trivial, since it will typically only have one element as far as I can tell, even when in the file META-INF/documentsignatures.xml referred to in Part 1.

This is an isolated simple case and doesn't defeat the Part 1 objective of only using RNG (except where it uses OWL, of course).

Do you know of any implementation that supports more than one <ds:Signature> in a <dsig:document-signatures> root element? That should be a lot of fun if any one of them attempts to sign the META-INF/documentsignatures.xml file itself.

The issue was discussed on the 22-02-10 TC meeting and the following resolution was agreed:

The RNG schema mentioned in the comment is non normative, and for this reason cannot be referenced normatively.
For ODF 1.2, a comment will be added to digital signature schema that refers to the restriction of the <ds:Signature> element in ODF 1.2 part 3.
The TC will look for alternative resolutions for a post ODF 1.2 version (which includes but is not limited to referencing a normative RNG schema for W3C XML Digital Signatures (if this is available) or the use of NVDL).

Correction will appear in OpenDocument-dsig-schema-v1.2-cd01-rev01