W3C home > Mailing lists > Public > public-xmlsec@w3.org > December 2009

RE: [ACTION-412][Fwd: Re: namespace wrapping attacks against XML Signature?]

From: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 7 Dec 2009 13:49:48 -0500
To: "'Pratik Datta'" <PRATIK.DATTA@oracle.com>, <edsimon@xmlsec.com>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Cc: "'Meiko Jensen'" <Meiko.Jensen@ruhr-uni-bochum.de>, "'"Jörg Schwenk"'" <joerg.schwenk@rub.de>
Message-ID: <00a101ca776e$0db58bf0$2920a3d0$@2@osu.edu>
Pratik Datta wrote on 2009-12-07:
> I read the paper, very interesting.
> The crux of the attack is that the XPath expression is considered a text
> node, so Exclusive Canonicalization does not consider any of the namespaces
> prefixes inside that as visibly utilized, hence it doesn't include them.

Yes, pretty much the same as the QName issue.

> Canonicalization 2.0 also looks at some prefixes that are embedded in
> content. Currently it only looks at prefixes in xsi:type attribute. We
> might consider extending it to prefixes in the IncludedXPath and
> ExcludedXPath elements.

That seems quite logical to me.

-- Scott
Received on Monday, 7 December 2009 18:50:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 18:50:42 GMT