> It also means you have to pre-scan the base64 text to work out what you > are going to do - which is just plain ugly.
Yeah. The bottom line is that anything that can't consume something with or without breaks is non-compliant, so clearly OpenSSL is borderline because the flag is not attractive to use, and anything that breaks because Apache code *is* producing them is also broken. This all gets more complex if you're including schema validation, because of data normalization, but Xerces-C 2.7 has finally dealt with that I believe. In 2.6, they created a double-whammy by breaking the signature if you normalized, but breaking the base64 decoding if you didn't. That was fun. -- Scott
