W3C home > Mailing lists > Public > public-xmlsec@w3.org > April 2010

Processing Instructions for supporting Streaming mode?

From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Date: 19 Apr 2010 13:25:23 +0200
Message-ID: <4BCC3DA3.1030709@ruhr-uni-bochum.de>
To: "XMLSec WG Public List" <public-xmlsec@w3.org>
Hi all,

regarding the support for streaming mode verification of XML Signatures
I'd like to throw in the following idea: Is is useful to define optional
XML processing instructions that indicate the parsing engine with all
information necessary to process the referenced parts of a document?
Strawman example:

<A>
  <?xml-signature c14n="..." digestMethod="..." ?>
  <SignedFragment>
    Some signed contents
  </SignedFragment>
</A>

This way, the parsing engine is not required to first inspect the
<ds:Signature> subtree for determining the selection paths (e.g. if that
information occurs late in the document, as e.g. in SAML Assertions).
Hence, this might allow one-pass signature verification instead of
two-pass/DOM in many scenarios. It's easier to collect all data, then
draw the links instead of starting with the <Reference> and follow a
backward link.

Obviously, the information given in the PI must be validated for
equality to those given in the <ds:Signature> part later on, to prevent
version-rollback attacks. However, I don't see a reason to have the PI
covered by any signature itself.

What do you think?

best regards

Meiko

-- 
Dipl.-Inf. Meiko Jensen
Chair for Network and Data Security 
Horst Görtz Institute for IT-Security 
Ruhr University Bochum, Germany
_____________________________
Universitätsstr. 150, Geb. IC 4/150
D-44780 Bochum, Germany
Phone: +49 (0) 234 / 32-26796
Telefax: +49 (0) 234 / 32-14347
http:// www.nds.rub.de
Received on Monday, 19 April 2010 11:25:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 April 2010 11:25:54 GMT