santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Cantor" <canto...@osu.edu>
Subject RE: Microsoft Office12 Postmark will not verify
Date Wed, 28 Feb 2007 16:39:00 GMT
> > It's actually true both ways...you need more information even if it
passes
> > or you have no way to know what's been signed. I do not have a rational
> > proposal to offer for that, however.
> >
> 
> You can also do this with JSR 105 - you can optionally specify whether
> you want to be able to get the referenced data before it is transformed
> and digested. I believe there is also a way to do that in the Apache
> XMLSec APIs (don't have time to check right now).

It has to be *after* the transforms, or you still don't know what's been
signed. If you can constrain the transform set itself, then that's kind of
the other way you approach the problem, e.g. how SAML profiles signatures.

> Or were you suggesting something else?

I should note that I also am concerned about the C++ library, so what the
JSR can do is motivating but not the whole picture.

-- Scott



Mime
View raw message