[xmlsec] XPATH and Visa 3D-secure specification

Rich Salz rsalz@datapower.com
Thu, 25 Sep 2003 10:38:27 -0400


Are they doing something like this?

     <visa:PARes id="...">
and then later on doing
     <ds:Reference URI="#..."
Then according to the last paragraph of section 4.3.3.2, the PARes id 
attribute *must* be an XML ID.

The language is a little obscure, but if you read 4.3.3.2 and 4.3.3.3 
carefully, you will see that if dsig:Reference/@URI has a "#", then it 
is taken as a "barename XPointer".  Which means that it can only refer 
to something that is a legal XML ID attribute.  This is XPointer, not XPath.

VISA is non-conformant; the visa:PARes/@id attribute MUST be of type ID, 
and must conform to the syntax requirements of ID's.
	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html