> > It's actually true both ways...you need more information even if it passes > > or you have no way to know what's been signed. I do not have a rational > > proposal to offer for that, however. > > > > You can also do this with JSR 105 - you can optionally specify whether > you want to be able to get the referenced data before it is transformed > and digested. I believe there is also a way to do that in the Apache > XMLSec APIs (don't have time to check right now).
It has to be *after* the transforms, or you still don't know what's been signed. If you can constrain the transform set itself, then that's kind of the other way you approach the problem, e.g. how SAML profiles signatures. > Or were you suggesting something else? I should note that I also am concerned about the C++ library, so what the JSR can do is motivating but not the whole picture. -- Scott
