> I think they care to a degree, but they probably decided that it wasn't > important enough to change the spec at this point since most 3D-Secure > implementations do not use validating parsers. In other words, interop doesn't matter as long as you comply with their spec. That's a lousy attitude. If I weren't in polite company, I'd use a more fecal term. :) > If so, then I think there might have been some security concern raised that > mandated use of random IDs. If so, then they should have at least replaced > ID and IDREF in the DTD with CDATA. That's what they did -- their attribute is defined as CDATA. But then they use that attribute as the target of a dsig:Reference/@URI attribute, and that's non-conformant. According to the XPointer spec, "barewards" must be XML ID's, not XML CDATA. Several of us took a bit of time to explain this, including pointing to the relevant specs. They're attitude is "oh, well." Or, less charitably "too bad." It's a fairly small fix, just limiting the alphabet used to generate the attributes, and their unwillingness to fix it is surprising. Perhaps you could also mention this to them -- your voice might get more attention then some others. And you might want to mention to the hardware folks you alluded to that they should be careful about burning non-complaince into their silicon. :) Perhaps they could accept broken signatures, but makes sure that the reference targets they generate are compliant as XML ID attributes. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.htmlReceived on Sunday, 19 October 2003 14:04:30 GMT
This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:17 GMT