[vbezhenar]

I agree that it's a bad idea. I had an issue with two XML libraries with different languages. One did XML signing, other did verifying. They just did not work, properly signed message failed to validate. I tried to debug, but those standards were incomprehensible, there are thousands of LoC dedicated to normalization and whatnot. You need few dozens of LoC to sign or verify bytes and you need incredible complexity to implement that XML security thing.

But the issue is: those standards are out there and they're used and probably some people will use it in new projects and you have to interoperate with them.

So yeah, don't use those standards when you can, but sometimes you have to.