Neither is correct, unless you use a schema/DTD that identifies the attribute as an ID. Ex: you could just as easily define an attribute named "target" which is an ID.
So the application may end up signing something that it didn't really intend to.
My advice would be to remove the code that searches for attributes named id, or Id and force the application to manually register those ids.
It is not as much a problem in the validation case, since you can use a validating parser to identity the attributes of type ID.
--Sean
Milan Tomic wrote:
I remeber few months ago we had one discussion about if it is right to set signing attriut as "Id" or "id". I would just like to ask if this was fixed? For newbies, I'll repeat what the problem was. When signing using Apache Java libraries you may set signing node attribut as "Id" or "id", but when using Apache C++ libraries you can use only "Id" as attribut for signing node. The problem is that C++ libraries can not verify document signed using Java libraries (id "id" attribute was used).
Thanks.
