Re: Including/importing digitally signed XSLT document
Security can be enforced at message level or at transport level. At message level, we use digital signatures or tokens like SAML, LTPA etc. Transport level security is achieved using encrypted channel - HTTPS HTTPS might be good for this requirement? thanks. On Fri, May 21, 2010 at 12:21 PM, Costello, Roger L. <costello@xxxxxxxxx> wrote: > > Hi Folks, > > Imagine an XSLT program that uses <xsl:include> to gain access to an XSLT document from an external location (say, a W3C XSLT document). It wouldn't be difficult for an evil person to intercept the ensuing message exchange and return an XSLT document designed to disrupt the proper functioning of the original XSLT program, perhaps even resulting in a denial of service. > > One approach to prevent this would be to digitally sign the included XSLT document. Of course, it would be horrific if the XSLT programmer had to write code to check the digital signature of every XSLT document he includes/imports. > > I envision XSLT processors automatically checking the digital signatures and triggering an error to the XSLT programs if the digital signatures fail. Thus, the checking is transparent to the XSLT programmer. > > Are there any plans to provide this functionality in XSLT 2.1? > > What other approaches are there for ensuring the safe include/import of XSLT documents at external locations? > > /Roger > -- Suresh
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format