[xmlsec] XPATH and Visa 3D-secure specification

Rich Salz rsalz at datapower.com
Thu Sep 25 07:38:27 PDT 2003

Are they doing something like this?

     <visa:PARes id="...">
and then later on doing
     <ds:Reference URI="#..."
Then according to the last paragraph of section, the PARes id 
attribute *must* be an XML ID.

The language is a little obscure, but if you read and 
carefully, you will see that if dsig:Reference/@URI has a "#", then it 
is taken as a "barename XPointer".  Which means that it can only refer 
to something that is a legal XML ID attribute.  This is XPointer, not XPath.

VISA is non-conformant; the visa:PARes/@id attribute MUST be of type ID, 
and must conform to the syntax requirements of ID's.

Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

More information about the xmlsec mailing list