- From: Richard Salz <rsalz@us.ibm.com>
- Date: Thu, 3 May 2007 14:14:26 -0400
- To: public-xmlsec-maintwg@w3.org
Assume a source document like this: <foo xml:id='x'> <bar> <subset> .... </subset> </bar> </foo> 1. Sign this with an XPath transform that picks the subset. Someone who can verify the signature must be using c14n 1.0; if the signature doesn't verify something's broken. 2. Modify the source document so that the xml:id now appears on the 'bar' element and verify the signature. We expect the same results as #1 and have the additional property that we can show how c14n 1.0 is insecure :) #3. Modify the source document so that the xml:id now appears on the subset element. The behavior of 1.0 is unchanged, the behavior of 1.1 depends on the XPath expression (whether subset's attributes are included or not) Hmm, now that I write it down this still seems interesting, but perhaps not as pragmatically useful as I first thought. /r$ -- STSM Senior Security Architect DataPower SOA Appliances
Received on Thursday, 3 May 2007 18:14:34 UTC