[xmlsec] Reference URI: ID vs CDATA

Jacek Nowacki jacekn at polcard.com.pl
Tue Sep 16 05:50:48 PDT 2003

Hello Aleksey,

I have encountered some problems verifying Visa PARes messages using libxmlsec. The problem happens when the id attribute of the signed portion of the document (PARes) begins with # and contains characters like + (plus) or / (slash). I always attach DTD defining the id attribute of PARes as 'ID' according to section 3.2 in FAQ. But plus and slash characters are not allowed for ID attribute.

Visa has specified this attribute as 'CDATA' not 'ID'. In practice, the PARes messages contain characters invalid for 'ID' type and this is why verification fails sometimes. 

Therefore I try to find out what the w3C xmldsig specification says about it. There is an example in "The Reference Processing Model" chapter saying that example "URI="#chapter1"
 Identifies a node-set containing the element with ID attribute". But this is only an example and I have no feeling that this is a general rule.

Is the restriction to 'ID' attribute based on some other indications in the W3C specification which I could point out to Visa? What would you think about allowing attribute types other than 'ID'?

best regards,
Jacek Nowacki

More information about the xmlsec mailing list