- From: Rich Salz <rsalz@datapower.com>
- Date: Sun, 19 Oct 2003 14:01:14 -0400 (EDT)
- To: Don Park <donpark@docuverse.com>
- Cc: 'Aleksey Sanin' <aleksey@aleksey.com>, "gino.tesei@ekar.it" <gino.tesei@ekar.it>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org>
> I think they care to a degree, but they probably decided that it wasn't > important enough to change the spec at this point since most 3D-Secure > implementations do not use validating parsers. In other words, interop doesn't matter as long as you comply with their spec. That's a lousy attitude. If I weren't in polite company, I'd use a more fecal term. :) > If so, then I think there might have been some security concern raised that > mandated use of random IDs. If so, then they should have at least replaced > ID and IDREF in the DTD with CDATA. That's what they did -- their attribute is defined as CDATA. But then they use that attribute as the target of a dsig:Reference/@URI attribute, and that's non-conformant. According to the XPointer spec, "barewards" must be XML ID's, not XML CDATA. Several of us took a bit of time to explain this, including pointing to the relevant specs. They're attitude is "oh, well." Or, less charitably "too bad." It's a fairly small fix, just limiting the alphabet used to generate the attributes, and their unwillingness to fix it is surprising. Perhaps you could also mention this to them -- your voice might get more attention then some others. And you might want to mention to the hardware folks you alluded to that they should be careful about burning non-complaince into their silicon. :) Perhaps they could accept broken signatures, but makes sure that the reference targets they generate are compliant as XML ID attributes. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
Received on Sunday, 19 October 2003 14:04:30 UTC