On 8/20/12 10:26 PM, "Michael Bishop" <[email protected]> wrote: > >Which goes back to your original statement in that you have to "identify" >ID attributes via a custom resolver, schema constraint, or DOM3 APIs >calls?
Yes, that's correct. Assuming ID based on attribute name alone opens you up to wrapping attacks. Unfortunately, because Xerces is broken and refuses to enforce ID uniqueness within the DOM itself (when you tell it what the IDs are), you're still open to wrapping attacks even if you do the right things superficially. In other words, be very, very careful. Never process signed content unless you rely on an API that gives you only what was verified (fed into the digest), or unless you "redo" the same ID lookup logic that the xmlsec library does/did before passing anything that was supposedly verified into application layer code. -- Scott
