Scott Cantor wrote:
It's actually true both ways...you need more information even if it
passes
or you have no way to know what's been signed. I do not have a rational
proposal to offer for that, however.
You can also do this with JSR 105 - you can optionally specify whether
you want to be able to get the referenced data before it is transformed
and digested. I believe there is also a way to do that in the Apache
XMLSec APIs (don't have time to check right now).
It has to be *after* the transforms, or you still don't know what's been
signed.
Right, that's what I meant, was a typo on my part.
--Sean
