Scott Cantor wrote:
I'll still open a bug to have more information come back froma failed
verify than true/false. XML signatures are way too complex to only have
pass/fail.
It's actually true both ways...you need more information even if it passes
or you have no way to know what's been signed. I do not have a rational
proposal to offer for that, however.
You can also do this with JSR 105 - you can optionally specify whether
you want to be able to get the referenced data before it is transformed
and digested. I believe there is also a way to do that in the Apache
XMLSec APIs (don't have time to check right now).
Or were you suggesting something else?
--Sean
