[xmlsec] RE: Implementing WS-Security using XMLSec...

Venky Madireddi venky at arvasoft.com
Wed Jun 11 11:24:13 PDT 2003


Yes, this could cause some serious bugs. Would you happen to know anyone out
there that I could report to.

Regards,

-Venky

> -----Original Message-----
> From: Rich Salz [mailto:rsalz at datapower.com]
> Sent: Wednesday, June 11, 2003 11:01 AM
> To: Aleksey Sanin
> Cc: venky at arvasoft.com; xmlsec at aleksey.com
> Subject: Re: [xmlsec] RE: Implementing WS-Security using XMLSec...
>
>
> You don't even have to look at the c14n spec (thank goodness!
> :)to see
> that this is seriously broken, as Aleksey alluded:
>
> >   <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
> >    <in0 xmlns="">venky</in0>
> >   </getGreeting>
>
> > Here is what Websphere's c14n outputs:
> >
> >   <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
> >    <in0>venky</in0>
> >   </getGreeting>
>
> You should report that to IBM -- they've got a really serious bug --
> their canonicalization code put <in0> in the *wrong namespace*!
> 	/r$
>
> --
> Rich Salz, Chief Security Architect
> DataPower Technology
> http://www.datapower.com
> XS40 XML Security Gateway
> http://www.datapower.com/products/xs40.html
> XML Security Overview
> http://www.datapower.com/xmldev/xmlsecurity.html
>





More information about the xmlsec mailing list