Figure out if referenced nodes should be detached from parent document when canonicalizing

[kislyuk]

When producing an enveloped signature for a document that declares a default namespace in the root element, references that refer to child nodes in the document are canonicalized differently when detached from the parent document vs. not. Specifically, empty xmlns declarations (xmlns="") can appear when not detaching, and disappear when detaching.

Prior to 34a0c0a, we were detaching the child nodes when signing, but not when verifying, so we produced some signatures we couldn't verify. The excise_empty_xmlns_declarations previously papered over this inconsistency, but now that it's off by default, it became apparent.

It's unclear from https://www.w3.org/TR/xml-c14n11/ and from test cases whether detaching is the correct approach for canonicalization.

One thing to keep in mind is that without roundtripping/detaching, there is no way to keep the canonicalization invariant to the enclosing document so it is probably the correct choice.