W3C home > Mailing lists > Public > public-xmlsec-maintwg@w3.org > May 2008

Best Practices comments

From: Sean Mullan <Sean.Mullan@Sun.COM>
Date: Wed, 28 May 2008 14:53:46 -0400
To: XMLSec <public-xmlsec-maintwg@w3.org>
Message-id: <483DAA3A.2030307@sun.com>

I found this draft a bit difficult to read and a bit all over the place. 
It might be more useful to take a step back and reorganize it a bit. 
Some of the advice is more for implementors, and some of the advice is 
for signers, and other advice is for application specific usages like 
WSS. I also think there's a lot of "don't do this", but not enough of 
"why you should not do this". More examples would also be useful. A 
section at the end with several complete signatures abiding with 
most/all of the best practices would also be useful.

I could try to suggest a different structure, if others also think it is 
worthwhile. Some specific comments follow.

Section 2.1.1

I found this section a bit difficult to follow. I think more of Brad's 
advice/rationale could be listed.

First paragraph: "Avoid using complicated features of XML Signature, 
especially complicated transforms, since it makes it hard for the 
receiver to know what was actually signed."

That's part of the problem (and may not really be a problem if you are 
using an implementation that can cache and display exactly what was 
signed). The other problems are the potential DOS and other attacks with 
certain transforms, and in general the added complexity and more code 
involved (which inevitably has more bugs) and which makes it harder to 
test all the scenarios.

The first bullet says "First an XPath transform ...". This reads as if 
we are advising that XPath be used instead of ID references. This should 
be reworded. It may be better to suggest avoiding XPath, but if 
necessary list some best practices (such as #2 and #3) when using it.

Best Practice #1: an example would be useful to explain this. Also some 
more details about why this is a problem.

This section only discusses limiting transforms when signing. An 
implementation may also want to reject signatures that use certain 
transforms or don't abide by certain practices.

BP #2 and #3 seem related. I would combine them into one BP about XPath 
transforms. A link to the McIntosh wrapping attack paper would also be 
useful here. Also, BP #3 and BP #4 are related so maybe this should be 
moved to section 2.1.2.

Unreadable sentence: "XPath Filter 2 transforms are much to understand 
...". I think it should be "much easier". If so, I don't understand this 
advice. The XPath transform is a SHOULD as well. Is the advice to avoid 
any transform that is not a MUST? If so, that might be good advice.

Section 2.1.2

BP #4 seems inconsistent with the advice given in section 2.1.1. That 
section said it is ok to sign portions of the document as long as you 
use ID references or XPath transforms with some restrictions. This BP 
says to sign all parts (does that mean the whole document?) unless 
impractical.

Section 2.2

I think we need to add more details as to why validating keys first is 
better.

"RetrievalMethods can have bad transforms, external references and 
infinite loops."

More details would be useful here. What is an external reference and why 
is it bad? (I would move BP #7 before BP #6). Does this mean they are ok 
in Reference URIs? It might be better to say something like "since a 
RetrievalMethod is very similar to a Reference (has a URI and 
Transforms), all of the issues that have been discussed with respect to 
complex Transforms are also applicable. Also, a RetrievalMethod can 
reference itself, which may lead to an infinite loop and a DOS attack ..."

BP #7: I think more details on the DOS threats with external URIs would 
be useful.

--Sean
Received on Wednesday, 28 May 2008 18:54:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 May 2008 18:54:36 GMT