- From: Pratik Datta <pratik.datta@oracle.com>
- Date: Tue, 13 May 2008 10:57:31 -0700
- To: Sean Mullan <Sean.Mullan@Sun.COM>
- CC: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>, Frederick Hirsch <frederick.hirsch@nokia.com>, XMLSec XMLSec <public-xmlsec-maintwg@w3.org>
There could be an xml:id or a wsu:Id (in case it is part of web services) I didn't notice that RetrievalMethod doesn't have an ID. In our implementation we consider any attribute named "Id" that is a child of an element in the dsig or xenc namespace, to be ID attribute. Also there could be Xpath tranform pointing to the RetrievalMethod. In the retrieval method processing, we dereference the ID, execute the transforms, and result of that should be a KeyInfoData. Now RetrievalMethod is also a KeyInfoData. So RetrievalMethod can point to another RetrievalMethod which can point to yet another and so on. And this could form a cycle. Pratik Sean Mullan wrote: > > Hi Pratik, > > Pratik Datta wrote: >> 2.2 Reduce opportunities for denial of Service attacks >> Best Practice 5 Avoid RetrievalMethod >> >> RetrievalMethods can have bad transforms, external references and >> infinite loops. >> >> Example of Retrieval methods with infinite loop : >> <RetrievalMethod Id="rm" URI="#rm"/> >> >> Infinite loops can also happen with a circular chain of >> RetrievalMethods . > > RetrievalMethods don't have an ID attribute. Even so, I'm not sure how > you can get an infinite loop - can you explain that? > > --Sean >
Received on Tuesday, 13 May 2008 17:58:46 UTC