- From: Scott Cantor <cantor.2@osu.edu>
- Date: Mon, 7 Dec 2009 13:49:48 -0500
- To: "'Pratik Datta'" <PRATIK.DATTA@oracle.com>, <edsimon@xmlsec.com>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
- Cc: "'Meiko Jensen'" <Meiko.Jensen@ruhr-uni-bochum.de>, "'"Jörg Schwenk"'" <joerg.schwenk@rub.de>
Pratik Datta wrote on 2009-12-07: > I read the paper, very interesting. > The crux of the attack is that the XPath expression is considered a text > node, so Exclusive Canonicalization does not consider any of the namespaces > prefixes inside that as visibly utilized, hence it doesn't include them. Yes, pretty much the same as the QName issue. > Canonicalization 2.0 also looks at some prefixes that are embedded in > content. Currently it only looks at prefixes in xsi:type attribute. We > might consider extending it to prefixes in the IncludedXPath and > ExcludedXPath elements. That seems quite logical to me. -- Scott
Received on Monday, 7 December 2009 18:50:41 UTC