Fixing the XML signature HMAC truncation authentication bypass

[Florian Weimer <fw () deneb enyo de>]

Quoting from <http://www.kb.cert.org/vuls/id/466161>:

| XML Signature Syntax and Processing (XMLDsig) is a W3C
| recommendation for providing integrity, message authentication,
| and/or signer authentication services for data. XMLDsig is commonly
| used by web services such as SOAP. The XMLDsig recommendation
| includes support for HMAC truncation, as specified in RFC2014. When
| HMAC truncation is under the control of an attacker, however, this
| can result in an effective authentication bypass. For example, by
| specifying an HMACOutputLength of 1, only one bit of the signature
| is verified. This can allow an attacker to forge an XML signature
| that will be accepted as valid.

What shall we do about this?  Shall we just cap the value at 80 or 96
bits in our implementations?