Hi, If you hava a signed XML file (below) WITHOUT SCHEMA, is siganture (focus on id) valid or invalid?
<root xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <signedNode id="data"> ... some nodes (doesn't matter)... </signedNode> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#data"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>nlywR123biGN45lEBdhNrTvzGX4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>9MM7YZQTR ... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>RhbG5vIHBv ... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </root> Java libraries can sign and verify that kind of signature. C++ libraries throws an exception, works well with "Id" not "id". So is this signature valid or invalid? matej > Scott/Sean/Milan, > > What I'm going to do in the C++ library is put in a call that allows you > to disable the search for non registered Ids. That allows for backwards > compatibility, but ensures that the settings can be more secure. > > I might also mark it in the docs with a warning that at version 2, this > will become the default. > > Cheers, > Berin > > > Scott Cantor wrote: > > >>My advice would be to remove the code that searches for > >>attributes named id, or Id and force the application to > >>manually register those ids. > > > > > > +1. > > > > But I'd add that Sun's inclusion of an XML parser in the JRE really > > complicates this because it forces us to endorse a parser that does support > > the DOM3 calls needed to manually register IDs. I'm not aware of any > > non-DOM3 method in, say, Xerces, that even supports registration of IDs, > > whether standard or otherwise. Happy to learn of one, though. > > > > -- Scott > > > > > >
