[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] XML Sig issues w/ SAML
> So what we really should be using is some mechanism that > ensures that every prefix is expanded out to the URI it > references. This would not be well formed XML but it would be > cannonical and the inclusive / exclusive bit would be solved. Why not go the extra yard and define a c14n algorithm that expands the prefixes, and then reassigns them when generating the bytes so that you end up with well-formed XML? Then you don't need a new parser. >I would like to profile the use of transformations very closely. This would >then allow verifiers to reject signatures because the transforms specified >are too complex. > >It would also allow this mode of processing: > >1) Extract the signature node [if doing enveloped] >2) Verify that node contains only the understood transformation(s) >3) Verify that the Id reference points to the expected object >4) Verify the signature That loosely equates with option (1) I proposed, fixing the Transforms element in SAML so that verification doesn't require re-examining the input node set. To avoid XPath, we have to support ID and XLink. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC