On Tue, Dec 20, 2011 at 04:58, Colm O hEigeartaigh <[email protected]> wrote: > This is already available via the JSR-105 API by setting the > "javax.xml.crypto.dsig.cacheReference" property to true. Apache WSS4J > uses this to build a set of protected element results, that can be > subsequently compared to an XPath expression via WS-SecurityPolicy.
Thanks for the pointer. > It is up to the application calling the signature verification code to > ensure that ID's are unique. The 1.5.0 release tightens this > requirement by not searching the document tree for any IDs in "known" > namespaces. The calling code must find the desired elements and > register them on the context/IdResolver for signature validation to > work. I really think the library should support this directly and by default. Given *zero* systems using the library did the right thing in the review done by the researchers, I think it's safe to say this is non-obvious. Let me ask this a different way. What speaks against adding this check in if, via an option, it can be disabled and remove the performance hit that would be caused? -- Chad La Joie www.itumi.biz trusted identities, delivered
