OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss] Comments on Core WD 01 3 Oct 03

> <DocumentURI RefURI="#doc1">
>   <URI>http://acme.com/document.xml</URI>
> </DocumentURI>
> 
> The server uses <URI> to retrieve the document, and uses RefURI to 
> construct a <ds:Reference> for the document.

We should say something about the security implications of this.  It's 
all too easy to set things up so that the server fetches, signs, and 
returns, documents that the client cannot access.

I should have raised this before.  We may want to consider that the 
client can *only* send entire documents.
	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]