Why XML Security is Broken

Submitted by Paweł Krawczyk on pon., 2009-01-19 11:27

Podpis elektroniczny

URL:

http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt

1. XML is an inherently unstable and therefore unsignable data format. XML-Dsig attempts to fix this via canonicalistion rules, but they don't really work.

2. The use of an "If it isn't XML, it's crap" design approach that lead to the rejection of conventional, proven designs in an attempt to prove that XML was more flexible than existing stuff