It's a very good question. Checkout this writeup (if you haven't seen it already):
http://www.w3.org/TR/xmldsig-bestpractices/ Aleksey On 1/15/15 5:48 AM, Alex Boese wrote: > Any advice for best practices against security attacks on xml signatures? > I've heard a little bit about namespace attacks, xml bombs (million lol > attack), and wrapper attacks. There are probably many others I am missing. Is > there a set of rules (outside of the w3 standards already in place) that you > adhere to? What about inherent weaknesses of the cannonicalization process? > > -A > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
