RE: How much XML Signature is mature?

> It was not pulled out. It's in the current official spec you can
> download from Visa's website.

I must have missed that.

> Moreover, I know that several people (including myself) contacted Visa
> guys about this problem but the response basically was "we don't care".

I think they care to a degree, but they probably decided that it wasn't
important enough to change the spec at this point since most 3D-Secure
implementations do not use validating parsers.  They should have issued a
'heads-up' message to implementers so the problem can be contained for
future fix though.

> I haven't seen the code that does this but I bet that it generates N
> random bytes, base64 encodes them and result string is called "ID
> attribute". Of course, such strings could not be used as ID
> attributes (may start with number, may contain '+', etc.).

If so, then I think there might have been some security concern raised that
mandated use of random IDs.  If so, then they should have at least replaced
ID and IDREF in the DTD with CDATA.

Don Park
http://www.docuverse.com/
http://www.docuverse.com/blog/donpark/

> I haven't seen the code that does this but I bet that it generates N
> random bytes, base64 encodes
> them and result string is called "ID attribute". Of course, such strings
> could not be used as ID
> attributes (may start with number, may contain '+', etc.).
> 
> 
> Aleksey Sanin
> XML Security Library  <http://www.aleksey.com/xmlsec>
> 

Received on Sunday, 19 October 2003 12:06:29 UTC