TODO - santuario-java - Git at Google

 If we sign a Manifest, we have to ensure that the References inside the Manifest have correct digest values (that we do not blindly sign contents which an attacker wants us to sign). Additionally, the signed contents of such a (nested) Manifest have to be made available to the user. Currently, only the 1st level contents (what is referenced by SignedInfo) are available using XMLSignature.getSignedInfo().getSignedContent(int i). Same comments apply to sigining a ds:Reference from another Manifest or SignedInfo.

 Question: What is an appropriate processing model if the user signs a ds:Manifest or a ds:Reference ?
 Possible choices include:
 - only process the SignedInfo. Make information about signed Manifests, References or Signatures available to the user. Now it's up to the user to decide whether he follows this hint or not.
 - using the XMLSignature.setFollowNestedManifests(true) method, it can be defined that all Mianifests have to be valid, also Manifests which are referenced from Manifests.
 - the user could define a length how many Manifests have to be followed. But this makes not much sense, cause it makes Signature something 'analog', allowing to scale whether validation fails or not.

 TODO for 1.2.1:
  [X] Fix the memory leak when using xpath or using ResourceResolver and not hitting
   	  getElementByIdUsingDOM() [http://issues.apache.org/bugzilla/show_bug.cgi?id=32836]
  [X] Fix the bug with using XPath2Filter and inclusive c14n
  [X] Fix the bug arrouse in reusing Canonicalizers
  [X] Fix base64transformation bug [http://issues.apache.org/bugzilla/show_bug.cgi?id=33393 ]
  [X] Fix the XMLsignatureInput reset() bug.
  [X] Clean unused jar (xmlParserAPI.jar,etc) and check and stored new versions.
  [X] generated the dist jar with version (i.e. xmlsec-1.2.1.jar instead of plain xmlsec.jar)
  [X] Clean unused build*.xml files.
 TODO for 1.3:
 RAUL:

 [ ] Remove XPath in IdResolver.
 [ ] Deferred XPath till needed.
 [ ] Integrate the SAX patch and add Signing
 [ ] More examples.
 [ ] Change Symbol table to a more efficient and simple structure
 [ ] Optimize ouputstream with native jce, nio & threads.
 [ ] Migrate to JSR105 API
 [ ] ...
	If we sign a Manifest, we have to ensure that the References inside the Manifest have correct digest values (that we do not blindly sign contents which an attacker wants us to sign). Additionally, the signed contents of such a (nested) Manifest have to be made available to the user. Currently, only the 1st level contents (what is referenced by SignedInfo) are available using XMLSignature.getSignedInfo().getSignedContent(int i). Same comments apply to sigining a ds:Reference from another Manifest or SignedInfo.

	Question: What is an appropriate processing model if the user signs a ds:Manifest or a ds:Reference ?
	Possible choices include:
	- only process the SignedInfo. Make information about signed Manifests, References or Signatures available to the user. Now it's up to the user to decide whether he follows this hint or not.
	- using the XMLSignature.setFollowNestedManifests(true) method, it can be defined that all Mianifests have to be valid, also Manifests which are referenced from Manifests.
	- the user could define a length how many Manifests have to be followed. But this makes not much sense, cause it makes Signature something 'analog', allowing to scale whether validation fails or not.

	TODO for 1.2.1:
	[X] Fix the memory leak when using xpath or using ResourceResolver and not hitting
	getElementByIdUsingDOM() [http://issues.apache.org/bugzilla/show_bug.cgi?id=32836]
	[X] Fix the bug with using XPath2Filter and inclusive c14n
	[X] Fix the bug arrouse in reusing Canonicalizers
	[X] Fix base64transformation bug [http://issues.apache.org/bugzilla/show_bug.cgi?id=33393 ]
	[X] Fix the XMLsignatureInput reset() bug.
	[X] Clean unused jar (xmlParserAPI.jar,etc) and check and stored new versions.
	[X] generated the dist jar with version (i.e. xmlsec-1.2.1.jar instead of plain xmlsec.jar)
	[X] Clean unused build*.xml files.
	TODO for 1.3:
	RAUL:

	[ ] Remove XPath in IdResolver.
	[ ] Deferred XPath till needed.
	[ ] Integrate the SAX patch and add Signing
	[ ] More examples.
	[ ] Change Symbol table to a more efficient and simple structure
	[ ] Optimize ouputstream with native jce, nio & threads.
	[ ] Migrate to JSR105 API
	[ ] ...