[xsl] Including/importing digitally signed XSLT documents?

Subject: [xsl] Including/importing digitally signed XSLT documents?
From: "Costello, Roger L." <costello@xxxxxxxxx>
Date: Fri, 21 May 2010 12:21:20 -0400
Hi Folks,

Imagine an XSLT program that uses <xsl:include> to gain access to an XSLT
document from an external location (say, a W3C XSLT document). It wouldn't be
difficult for an evil person to intercept the ensuing message exchange and
return an XSLT document designed to disrupt the proper functioning of the
original XSLT program, perhaps even resulting in a denial of service.

One approach to prevent this would be to digitally sign the included XSLT
document. Of course, it would be horrific if the XSLT programmer had to write
code to check the digital signature of every XSLT document he

I envision XSLT processors automatically checking the digital signatures and
triggering an error to the XSLT programs if the digital signatures fail. Thus,
the checking is transparent to the XSLT programmer.

Are there any plans to provide this functionality in XSLT 2.1?

What other approaches are there for ensuring the safe include/import of XSLT
documents at external locations?


Current Thread