[xmlsec] XPATH and Visa 3D-secure specification

Jesse Pelton jsp at PKC.com
Thu Sep 25 08:06:53 PDT 2003


I think that's the core question: does the Visa spec call for handling their
CDATA "id" attribute as if it were an ID?  I don't know anything about the
spec, except that it causes this question to arise periodically
(occasionally inducing me to rant).  Slava, can you point to it, or excerpt
relevant sections?

> -----Original Message-----
> From: Rich Salz [mailto:rsalz at datapower.com] 
> Sent: Thursday, September 25, 2003 10:38 AM
> To: Slava Kostin
> Cc: xmlsec at aleksey.com
> Subject: Re: [xmlsec] XPATH and Visa 3D-secure specification
> 
> 
> Are they doing something like this?
> 
>      <visa:PARes id="...">
> and then later on doing
>      <ds:Reference URI="#..."
> Then according to the last paragraph of section 4.3.3.2, the PARes id 
> attribute *must* be an XML ID.
> 
> The language is a little obscure, but if you read 4.3.3.2 and 4.3.3.3 
> carefully, you will see that if dsig:Reference/@URI has a 
> "#", then it 
> is taken as a "barename XPointer".  Which means that it can 
> only refer 
> to something that is a legal XML ID attribute.  This is 
> XPointer, not XPath.
> 
> VISA is non-conformant; the visa:PARes/@id attribute MUST be 
> of type ID, 
> and must conform to the syntax requirements of ID's.
> 	/r$



More information about the xmlsec mailing list