- From: Don Park <donpark@docuverse.com>
- Date: Sun, 19 Oct 2003 09:05:25 -0700
- To: "'Aleksey Sanin'" <aleksey@aleksey.com>
- Cc: "'Rich Salz'" <rsalz@datapower.com>, <gino.tesei@ekar.it>, <w3c-ietf-xmldsig@w3.org>
> It was not pulled out. It's in the current official spec you can > download from Visa's website. I must have missed that. > Moreover, I know that several people (including myself) contacted Visa > guys about this problem but the response basically was "we don't care". I think they care to a degree, but they probably decided that it wasn't important enough to change the spec at this point since most 3D-Secure implementations do not use validating parsers. They should have issued a 'heads-up' message to implementers so the problem can be contained for future fix though. > I haven't seen the code that does this but I bet that it generates N > random bytes, base64 encodes them and result string is called "ID > attribute". Of course, such strings could not be used as ID > attributes (may start with number, may contain '+', etc.). If so, then I think there might have been some security concern raised that mandated use of random IDs. If so, then they should have at least replaced ID and IDREF in the DTD with CDATA. Don Park http://www.docuverse.com/ http://www.docuverse.com/blog/donpark/ > I haven't seen the code that does this but I bet that it generates N > random bytes, base64 encodes > them and result string is called "ID attribute". Of course, such strings > could not be used as ID > attributes (may start with number, may contain '+', etc.). > > > Aleksey Sanin > XML Security Library <http://www.aleksey.com/xmlsec> >
Received on Sunday, 19 October 2003 12:06:29 UTC