On 2/23/06, Paul Hoffman <[EMAIL PROTECTED]> wrote: > > >That's why we added a > >bunch of specifics to the XML Security section in the format document. > > Quite true. In the case of the format document, there was one > standard way to protect XML data.
We didn't use the standard way. We explicitly instructed implementors to ignore mandatory-to-implement requirements in XML-Dsig and XML-Enc, and use our better way. See RFC4287, section 5.1 paragraph 5, section 5.1 paragraph 7, and section 5.2 paragraph 2. That may have been totally reasonable. I don't really know. > For HTTP, there are many. Almost all of them aren't any good, and the most popular way is to use cookies. So maybe we could say that. -- Robert Sayre "I would have written a shorter letter, but I did not have the time."
