Re: Updated Signature 2.0 with minor edits from Frederick.Hirsch@nokia.com on 2010-08-23 (public-xmlsec@w3.org from August 2010)

From: <Frederick.Hirsch@nokia.com>
Date: Mon, 23 Aug 2010 17:23:01 +0200
To: <pratik.datta@oracle.com>
CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>
Message-ID: <EA02700F-1422-4968-A3D8-91B5F2FE0D06@nokia.com>

Shouldn't the XPath profile reference be normative? ( If so the reference should be [[!XMLDSIG-XPATH]] )

In http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0, <dsig2:PositionAssertion>, I suggest the following change:

Remove the last sentence from #2 ("The good thing about this approach is that implementations could simply ignore this verification assertion and rely solely on the ID-based referencing at the risk of being vulnerable to signature wrapping.")

Add new paragraph after numbered list, with the following text:

Verification of the <dsig2:Verifcation>  element by validators is optional, even if the element is present.  Thus validators can make a trade off between sole ID-based referencing (with the risk of being vulnerable to signature wrapping attacks) or verifying the <dsig2:PositionAssertion>, for example.

regards, Frederick

Frederick Hirsch
Nokia

On Aug 22, 2010, at 11:29 AM, ext Pratik Datta wrote:

> I made changes for the following actions
>  
> ACTION-615
>   I made a new reference [XMLDSIG-XPATH] which points to http://www.w3.org/TR/2010/WD-xmldsig-xpath/  (Note: this location does not resolve to anything till we publish it)
>  
> ACTION-626
>  I removed <DigestData> completely
>  
> ACTION-627
> I added this section.  See http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0
> <dsig2:PositionAssertion> is used to enable ID-based referencing that is more resistant to signature wrapping attacks. It contains an XPath expression that has to match the referenced content's position in the document. This way, instead of "selecting" the referenced element via XPath we just "verify" its position (which then is way more flexible in terms of what is really enforced), but stick to ID-based referencing in selection. The good thing about this approach is that implementations could simply ignore this verification assertion and rely solely on the ID-based referencing at the risk of being vulnerable to signature wrapping.
>  
> Pratik
>

Received on Monday, 23 August 2010 15:23:51 UTC