W3C home > Mailing lists > Public > public-xmlsec@w3.org > August 2010

RE: Updated Signature 2.0 with minor edits

From: Pratik Datta <pratik.datta@oracle.com>
Date: Thu, 26 Aug 2010 01:38:58 -0700 (PDT)
Message-ID: <81c2aa0e-bd82-42d5-bef6-d334dc64456e@default>
To: Frederick.Hirsch@nokia.com
Cc: public-xmlsec@w3.org
I made the change but with a little bit of rewording.
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0

"Verification of the <dsig2:Verifcation> element by validators is optional, even if the element is present. For example validators can ignore the <dsig2:PositionAssertion>, and just rely on ID-based referencing (with the risk of being vulnerable to signature wrapping attacks) for simplicity"



Let me know if this rewording is acceptable. I wanted to say that someone would ignore  PositionAssertion for simplicity, e.g. they do not have the ability to process XPath.

This should complete my ACTION-639

Pratik

-----Original Message-----
From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] 
Sent: Monday, August 23, 2010 8:23 AM
To: Pratik Datta
Cc: Frederick.Hirsch@nokia.com; public-xmlsec@w3.org
Subject: Re: Updated Signature 2.0 with minor edits

Shouldn't the XPath profile reference be normative? ( If so the reference should be [[!XMLDSIG-XPATH]] )

In http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0, <dsig2:PositionAssertion>, I suggest the following change:

Remove the last sentence from #2 ("The good thing about this approach is that implementations could simply ignore this verification assertion and rely solely on the ID-based referencing at the risk of being vulnerable to signature wrapping.")

Add new paragraph after numbered list, with the following text:

Verification of the <dsig2:Verifcation>  element by validators is optional, even if the element is present.  Thus validators can make a trade off between sole ID-based referencing (with the risk of being vulnerable to signature wrapping attacks) or verifying the <dsig2:PositionAssertion>, for example.

regards, Frederick

Frederick Hirsch
Nokia



On Aug 22, 2010, at 11:29 AM, ext Pratik Datta wrote:

> I made changes for the following actions
>  
> ACTION-615
>   I made a new reference [XMLDSIG-XPATH] which points to http://www.w3.org/TR/2010/WD-xmldsig-xpath/  (Note: this location does not resolve to anything till we publish it)
>  
> ACTION-626
>  I removed <DigestData> completely
>  
> ACTION-627
> I added this section.  See http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0
> <dsig2:PositionAssertion> is used to enable ID-based referencing that is more resistant to signature wrapping attacks. It contains an XPath expression that has to match the referenced content's position in the document. This way, instead of "selecting" the referenced element via XPath we just "verify" its position (which then is way more flexible in terms of what is really enforced), but stick to ID-based referencing in selection. The good thing about this approach is that implementations could simply ignore this verification assertion and rely solely on the ID-based referencing at the risk of being vulnerable to signature wrapping.
>  
> Pratik
>  
Received on Thursday, 26 August 2010 08:40:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:14 UTC