- From: John Boyer <JBoyer@PureEdge.com>
- Date: Thu, 21 Jun 2001 10:29:28 -0700
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- Cc: <w3c-ietf-xmldsig@w3.org>
Let's try again without the HTML... Hi Don, I agree with most of what you said about the relative advantages and disadvantages of a general XPath approach. Whatever little difference I have is not worth debating since I was primarily interested in exhibiting a wealth of XML DSig designs whereby C14N solves the problem at hand (in contradiction to certain claims being made at the time). In case we do find another enormous problem that could be solved by the general XPath approach, I'd better fix the technical problem you pointed out: >3) Add the subtree rooted by the XPath element in Signature, including >attributes and namespaces. <Don> I don't think this works, if the application uses the XPath data model, because this subtree will have been already been invaded by ancestor namespace declaration. And there are security problems with having it filter itself. </Don> <john> Brilliant, as usual, Don. 3) Add the subtree rooted by the XPath element in Signature, excluding attributes and namespaces except those used in the XPath expression. We are only interested in securing the XPath expression (including the namespace context under which it is evaluated). </john> John Boyer Senior Product Architect, Software Development Internet Commerce System (ICS) Team PureEdge Solutions Inc. Trusted Digital Relationships v: 250-708-8047 f: 250-708-8010 1-888-517-2675 http://www.PureEdge.com <http://www.pureedge.com/>
Received on Thursday, 21 June 2001 13:29:59 UTC