- From: Scott Cantor <cantor.2@osu.edu>
- Date: Mon, 19 Apr 2010 13:02:58 -0400
- To: "'Meiko Jensen'" <Meiko.Jensen@ruhr-uni-bochum.de>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
> Section 6: Qnames in content. Searching all text nodes for potential use > of prefixes is a horribly bad idea. Besides the performance overhead > you'll get weird matches, resulting in different namespace declarations > being covered within structurally identical XML documents. Major source > of confusion and unexplainable signature invalidations. I don't propose searching all text nodes, but I do believe enumerating the qualified names of nodes that are QName-valued to be useful and frankly necessary. On a separate but similar topic, I also think in the absence of schema-aware c14n that we have an obligation to allow the specification of ID-valued attributes to ensure better and safer interop of ID-based references. It doesn't by itself address wrapping attacks but it's an improvement on guessing ID-ness. (To anticipate a response, yes, in an ideal world we'd just use schemas and both issues would be addressed. But in this world, people often don't use them at runtime, nor do they use DTDs.) -- Scott
Received on Monday, 19 April 2010 17:03:25 UTC