W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2009

Streaming XPath - additional material from our research background

From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Date: 29 Oct 2009 12:34:16 +0100
Message-ID: <4AE97DB8.1090800@ruhr-uni-bochum.de>
To: public-xmlsec@w3.org

as I lately noticed that the WG deals with similar problems as we do
within our latest research (i.e. streamable subset of XPath in the
context of XML Signatures), I'd like to point your attention to some of
our findings for consideration and discussion.

Though Barton et al. ( http://cs.nyu.edu/~deepak/publications/icde.pdf )
have shown that in theory every XPath expression can be converted into
an equivalent XPath that does not contain any backward axes (thus
allowing stream-based evaluation in general), the topic of a streamable
subset of XPath is of crucial importance. Apart from the pure
performance gains by using a stream-based XML Signature validation (and
maybe also application), one should also be aware of the other use that
such a subset could have -- in terms of fending the XML Signature
Wrapping attack. As we have shown lately (
http://www.nds.rub.de/media/nds/downloads/mjensen/ICWS09.pdf ), this
particular attack threat can be tackled using position-aware referencing
schemes in XML Signatures, which obviously can be done e.g. using
XPath-based transformations.

We thus defined a strong subset of XPath ourselves (called FastXPath),
which to our consideration provides both: it performs way better than
full XPath (see evaluation in the paper) and additionally was shown to
be way more resistant to the XML Signature Wrapping threat.

Thus, if you are interested in determining on how our work relates to
the ongoing discussion on streamable XPath, please feel free to contact me.

Best regards from Bochum, Germany


Dipl.-Inf. Meiko Jensen
Chair for Network and Data Security 
Horst Görtz Institute for IT-Security 
Ruhr University Bochum, Germany
Universitätsstr. 150, Geb. IC 4/150
D-44780 Bochum, Germany
Phone: +49 (0) 234 / 32-26796
Telefax: +49 (0) 234 / 32-14347
http:// www.nds.rub.de
Received on Thursday, 29 October 2009 12:36:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:12 UTC