Re: [xsl] Including/importing digitally signed XSLT documents?

Subject: Re: [xsl] Including/importing digitally signed XSLT documents?
From: Suresh <suresh.chinta@xxxxxxxxx>
Date: Fri, 21 May 2010 12:27:08 -0400
Security can be enforced at message level or at transport level.

At message level, we use digital signatures or tokens like SAML, LTPA etc.

Transport level security is achieved using encrypted channel - HTTPS

HTTPS might be good for this requirement?

thanks.



On Fri, May 21, 2010 at 12:21 PM, Costello, Roger L. <costello@xxxxxxxxx>
wrote:
>
> Hi Folks,
>
> Imagine an XSLT program that uses <xsl:include> to gain access to an XSLT
document from an external location (say, a W3C XSLT document). It wouldn't be
difficult for an evil person to intercept the ensuing message exchange and
return an XSLT document designed to disrupt the proper functioning of the
original XSLT program, perhaps even resulting in a denial of service.
>
> One approach to prevent this would be to digitally sign the included XSLT
document. Of course, it would be horrific if the XSLT programmer had to write
code to check the digital signature of every XSLT document he
includes/imports.
>
> I envision XSLT processors automatically checking the digital signatures and
triggering an error to the XSLT programs if the digital signatures fail. Thus,
the checking is transparent to the XSLT programmer.
>
> Are there any plans to provide this functionality in XSLT 2.1?
>
> What other approaches are there for ensuring the safe include/import of XSLT
documents at external locations?
>
> /Roger
>



--
Suresh

Current Thread