- From: <Frederick.Hirsch@nokia.com>
- Date: Thu, 26 Aug 2010 14:53:13 +0200
- To: <pratik.datta@oracle.com>
- CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>
That is fine, though I'd get rid of the ", for simplicity". Also Verification is misspelled in the element name.
Please let me know when you are done with all the edits and with checking links, validation etc - then I will start the publication process.
regards, Frederick
Frederick Hirsch
Nokia
On Aug 26, 2010, at 4:38 AM, ext Pratik Datta wrote:
> I made the change but with a little bit of rewording.
> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0
>
> "Verification of the <dsig2:Verifcation> element by validators is optional, even if the element is present. For example validators can ignore the <dsig2:PositionAssertion>, and just rely on ID-based referencing (with the risk of being vulnerable to signature wrapping attacks) for simplicity"
>
>
>
> Let me know if this rewording is acceptable. I wanted to say that someone would ignore PositionAssertion for simplicity, e.g. they do not have the ability to process XPath.
>
> This should complete my ACTION-639
>
> Pratik
>
> -----Original Message-----
> From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
> Sent: Monday, August 23, 2010 8:23 AM
> To: Pratik Datta
> Cc: Frederick.Hirsch@nokia.com; public-xmlsec@w3.org
> Subject: Re: Updated Signature 2.0 with minor edits
>
> Shouldn't the XPath profile reference be normative? ( If so the reference should be [[!XMLDSIG-XPATH]] )
>
> In http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0, <dsig2:PositionAssertion>, I suggest the following change:
>
> Remove the last sentence from #2 ("The good thing about this approach is that implementations could simply ignore this verification assertion and rely solely on the ID-based referencing at the risk of being vulnerable to signature wrapping.")
>
> Add new paragraph after numbered list, with the following text:
>
> Verification of the <dsig2:Verifcation> element by validators is optional, even if the element is present. Thus validators can make a trade off between sole ID-based referencing (with the risk of being vulnerable to signature wrapping attacks) or verifying the <dsig2:PositionAssertion>, for example.
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
> On Aug 22, 2010, at 11:29 AM, ext Pratik Datta wrote:
>
>> I made changes for the following actions
>>
>> ACTION-615
>> I made a new reference [XMLDSIG-XPATH] which points to http://www.w3.org/TR/2010/WD-xmldsig-xpath/ (Note: this location does not resolve to anything till we publish it)
>>
>> ACTION-626
>> I removed <DigestData> completely
>>
>> ACTION-627
>> I added this section. See http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0
>> <dsig2:PositionAssertion> is used to enable ID-based referencing that is more resistant to signature wrapping attacks. It contains an XPath expression that has to match the referenced content's position in the document. This way, instead of "selecting" the referenced element via XPath we just "verify" its position (which then is way more flexible in terms of what is really enforced), but stick to ID-based referencing in selection. The good thing about this approach is that implementations could simply ignore this verification assertion and rely solely on the ID-based referencing at the risk of being vulnerable to signature wrapping.
>>
>> Pratik
>>
>
>
Received on Thursday, 26 August 2010 12:54:01 UTC