Hi Don,

I agree with most of what you said about the relative advantages and disadvantages of a general XPath approach.  Whatever little difference I have is not worth debating since I was primarily interested in exhibiting a wealth of XML DSig designs whereby C14N solves the problem at hand (in contradiction to certain claims being made at the time).

In case we do find another enormous problem that could be solved by the general XPath approach, I'd better fix the technical problem you pointed out:

>3) Add the subtree rooted by the XPath element in Signature, including
>attributes and namespaces.

<Don>
I don't think this works, if the application uses the XPath data
model, because this subtree will have been already been invaded by
ancestor namespace declaration.  And there are security problems with
having it filter itself.
</Don>

<john>
Brilliant, as usual, Don.

3) Add the subtree rooted by the XPath element in Signature, excluding attributes and namespaces except those used in the XPath expression.

We are only interested in securing the XPath expression (including the namespace context under which it is evaluated).
</john>

John Boyer
Senior Product Architect, Software Development
Internet Commerce System (ICS) Team
PureEdge Solutions Inc.
Trusted Digital Relationships
v: 250-708-8047  f: 250-708-8010
1-888-517-2675   http://www.PureEdge.com <http://www.pureedge.com/>