[xmlsec] RE: Implementing WS-Security using XMLSec...

Rich Salz rsalz at datapower.com
Wed Jun 11 11:00:50 PDT 2003


You don't even have to look at the c14n spec (thank goodness! :)to see 
that this is seriously broken, as Aleksey alluded:

>   <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
>    <in0 xmlns="">venky</in0>
>   </getGreeting>

> Here is what Websphere's c14n outputs:
> 
>   <getGreeting xmlns="http://Sample8.wsdk.ibm.com">
>    <in0>venky</in0>
>   </getGreeting>

You should report that to IBM -- they've got a really serious bug -- 
their canonicalization code put <in0> in the *wrong namespace*!
	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html




More information about the xmlsec mailing list