W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2008

Re: Potential additional best practice issue? (was closure of ACTION-58)

From: Juan Carlos Cruellas <cruellas@ac.upc.edu>
Date: Mon, 13 Oct 2008 14:13:23 +0200
Message-ID: <48F33B63.3050203@ac.upc.edu>
To: xml sec public <public-xmlsec@w3.org>

Frederick,

Thanks for the message, and again, my appologies for missplacing my 
comments...I see now that the administrative page has all the links to 
the draft documents, so I hope this does not happen again....

As for your reactions, please see below intermixed.



Frederick Hirsch escribió:
>
> Juan Carlos
>
> Thanks for reviewing the best practices document
>
> I believe your comment is in the following document you uploaded:
> http://www.w3.org/2008/xmlsec/Drafts/best-practices/comments-bhill-jcc.html 
>
> The comment is in section 2.1 before the first best practice and is:
> "[jcc: I think that best practices 1 and 3 overlap somehow, as they 
> seem to mix two concepts: "authentication" of the signer, and trust in 
> that signer. I would also say that the header of best practice 1 is a 
> does not completely match the content, as its content actually speaks 
> of trust not of authentication. My proposal would be to change the 
> header of best practice 1 to: "Mitigate denial of service attacks by 
> executing potentially dangerous operations only after establishing 
> trust in the signer key". After that I would suppress best practice 3. ]"
> Thus in the latest editors draft
> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
> I believe your proposal is:
> 1. change the title of best practice 1 to: "Mitigate denial of service 
> attacks by executing potentially dangerous operations only after 
> establishing trust in the signer key"
> 2. remove best practice 2:  Best Practice 2: Establish trust in the 
> verification/validation key.
> However I think the intent of best practice 1 was to indicate 
> verification of the signature on SignedInfo before validating 
> references and #2 was to also remind to verify keys, thus I suggest we 
> do not make the change you suggest, since #1 did include signature 
> verification and #2 is important to call out the importance of key 
> verification.
> regards, Frederick
>
Mmmmm, I see the point that you make, but I still see in BP1 text 
related to establishing trust. Take a look to the following pieces:

"Validate the ds:Reference elements for a signature only after 
establishing trust, for example by verifying the key and validating 
ds:SignedInfo first."

"1. /Step 1/ fetch the verification key and establish trust in that key"

"But by step 3, the entire Signed info has been authenticated, and so 
all the URIs and transforms in the SignedInfo can be attributed to a 
responsible party. However an implementation may still choose to 
disallow these operations even in step 3, if the party is not trusted to 
perform them."

Now, taking your point: that "the intent of best practice 1 was to 
indicate verification of the signature on SignedInfo before validating 
references", may I suggest then the following:

1. Convert BP 2 to BP1. Rationale, we establish since the very beginnign 
this issue.
2. Rename BP1 title so that it actually reads what you mention: 
"Mitigate denial of service attacks by validating the references (that 
might imply potentially dangerous operations ) only after the 
verification of SignedInfo has been completed"

Does it seem reasonable?

Regards

Juan Carlos.

> Frederick Hirsch
> Nokia
>
>
>
> On Oct 7, 2008, at 11:16 AM, ext Juan Carlos Cruellas wrote:
>
>>
>> Dear all,
>>
>> I have posted a reviewed version of the best practices  documents with
>> one comment as reported in the message below:
>>
>> http://lists.w3.org/Archives/Member/member-xmlsec-commits/2008Oct/0004.html 
>>
>>
>> This should be close action 58 on myself.
>>
>> Regards
>>
>> Juan Carlos.
>>
>>
>>
>>
>
>
Received on Monday, 13 October 2008 12:15:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:55 GMT