On Tue, Dec 20, 2011 at 10:55, Sean Mullan <[email protected]> wrote: > It no longer searches. All IDs have to be pre-registered. It knows about IDs > in the XML signature namespace so pre-registers those itself.
I guess I'm missing something. How is this done? After a parse (without schema validation) no attributes would be marked as ID attributes. So how does the library "pre-register" anything? And are you saying that prior to signature validation (or encrypted key resolution), that the app must go through and register every ID/element mapping itself? > We could search the entire document every time for duplicate IDs but then > nobody would use the library because it would be too slow. Not to be flippant, but do you actually have anything to back that up? Relatively speaking, a treewalk is pretty fast (when compared to things like canonicalization and various crypto functions). > This is an issue that we can solve partially, but in my opinion higher level > APIs need to also do their job and register the IDs in their own namespaces > (or use a validating schema). Then wrapping attacks are not possible. Sure, and everyone should always completely bug free code. They don't. All I'm trying to say is that we could provide a real fix for this that protects people against an attack that is known to be in the wild and which all tested users of Santuario were vulnerable to. -- Chad La Joie www.itumi.biz trusted identities, delivered
