[xmlsec] RE: Implementing WS-Security using XMLSec...
Rich Salz
rsalz at datapower.com
Wed Jun 11 11:00:50 PDT 2003
You don't even have to look at the c14n spec (thank goodness! :)to see
that this is seriously broken, as Aleksey alluded:
> <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
> <in0 xmlns="">venky</in0>
> </getGreeting>
> Here is what Websphere's c14n outputs:
>
> <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
> <in0>venky</in0>
> </getGreeting>
You should report that to IBM -- they've got a really serious bug --
their canonicalization code put <in0> in the *wrong namespace*!
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
More information about the xmlsec
mailing list