Rename MaxReferencesPerSignedInfo AppContext switch to include .Xml namespace

[Copilot]

Description

Renames the AppContext switch System.Security.Cryptography.MaxReferencesPerSignedInfo to System.Security.Cryptography.Xml.MaxReferencesPerSignedInfo to properly reflect the library namespace hierarchy.

Changes Made

• Updated LocalAppContextSwitches.cs: Changed AppContext.GetData() call from "System.Security.Cryptography.MaxReferencesPerSignedInfo" to "System.Security.Cryptography.Xml.MaxReferencesPerSignedInfo"
• Updated SignedXml_Limits.cs: Changed test constant MaxReferencesPerSignedInfoAppContextSwitch to use the new switch name

This aligns the switch naming with the System.Security.Cryptography.Xml library namespace where it resides, following the pattern established in PR #123721.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[dotnet-policy-service]

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

[vcsjones]

I didn't do this initially because we didn't do it for the PKCS#12 iteration limits (which if we followed this convention, would be under X509Certificates) so I omitted the Xml.

runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LocalAppContextSwitches.cs

Line 16 in 55f6dc4

object? data = AppContext.GetData("System.Security.Cryptography.Pkcs12UnspecifiedPasswordIterationLimit");

I'm happy with either, just noting that we have some precedent for using "System.Security.Cryptography".

[stephentoub]

@copilot please invoke the code-review skill and post the analysis/results as a comment on this PR

[Copilot]

@copilot please invoke the code-review skill and post the analysis/results as a comment on this PR

🤖 Copilot Code Review — PR #124429

Holistic Assessment

Motivation: The PR aims to align the AppContext switch naming with the library's namespace (System.Security.Cryptography.Xml). However, this contradicts established precedent in the codebase.

Approach: The change is technically correct and complete, but inconsistent with existing patterns. The PKCS#12 iteration limit switch uses System.Security.Cryptography.Pkcs12UnspecifiedPasswordIterationLimit without including the .X509Certificates sub-namespace, even though it lives in that assembly. This PR does the opposite — adding .Xml to make it System.Security.Cryptography.Xml.MaxReferencesPerSignedInfo.

Summary: ⚠️ Needs Human Review. The code changes are correct and complete, but the naming direction conflicts with established precedent. The switch was originally named System.Security.Cryptography.MaxReferencesPerSignedInfo (without .Xml), consistent with the PKCS#12 pattern. This PR renamed it to include .Xml, which may break existing users who configured the original switch name. A human decision is needed on whether to: (1) keep this PR as-is and accept the inconsistency with PKCS#12, (2) revert to the original name for consistency, or (3) rename both switches uniformly in a dedicated PR.

---

Detailed Findings

⚠️ Naming Inconsistency with Established Precedent

The PR renames the switch from System.Security.Cryptography.MaxReferencesPerSignedInfo to System.Security.Cryptography.Xml.MaxReferencesPerSignedInfo, adding the .Xml sub-namespace component.

However, there's established precedent for NOT including sub-namespace components in AppContext switch names:

• PKCS#12 switch: System.Security.Cryptography.Pkcs12UnspecifiedPasswordIterationLimit (no .X509Certificates)
  • Location: src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/LocalAppContextSwitches.cs:16
  • Pattern: Uses only System.Security.Cryptography.* without the .X509Certificates portion

This PR goes in the opposite direction of that precedent. As @vcsjones noted, they originally omitted .Xml specifically to follow the PKCS#12 pattern.

Impact: This is a breaking change for any users who already configured the switch using the original name System.Security.Cryptography.MaxReferencesPerSignedInfo. They would need to update their configuration.

Recommendation: Decide on a consistent policy:

1. Revert this PR to keep System.Security.Cryptography.MaxReferencesPerSignedInfo (consistent with PKCS#12)
2. Keep this PR and accept the inconsistency
3. In a separate effort, rename both switches uniformly (either both include sub-namespaces or neither does)

✅ Code Changes Are Correct

The implementation changes are technically correct:

• Both the implementation (LocalAppContextSwitches.cs:15) and test constant (SignedXml_Limits.cs:16) were updated consistently
• No other references to the old switch name exist in the codebase
• The code compiles and tests validate the functionality

✅ Test Coverage

The existing tests (MaxReferences_AppContextSwitch test method) properly validate the switch behavior with various configurations. No additional tests are needed for this rename.

---

Verdict: This requires a maintainer decision on naming policy. The code itself is correct, but the naming direction needs resolution.

[dotnet-policy-service]

Draft Pull Request was automatically closed for 30 days of inactivity. Please let us know if you'd like to reopen it.