Interaction between ID and XPath for XML Signature 2.0 Selection ACTION-737 from Pratik Datta on 2010-12-13 (public-xmlsec@w3.org from December 2010)

From: Pratik Datta <pratik.datta@oracle.com>
Date: Mon, 13 Dec 2010 09:51:31 -0800 (PST)
To: public-xmlsec@w3.org
Message-ID: <a29c5771-def3-4bd6-9aa3-f2c88b4cd083@default>

In XML Signature 2.0, for Selections of type XML, there are three parameters for selecting

1. ID
2. IncludedXPath
3. ExcludedXPath

Currently there is an inconsistency in the spec about these interact.

The XPath profile for XML signature mentions that XPaths need to be absolute, and are evaluated from the root of the document.
But the XML Signature 2.0 spec mentions that although these are absolute, they are evaluated from the root of the subtree that the ID points to. (See http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-Type-xml section 6.7.1.2)

We need to fix this inconsistency. Here are multiple options

Option 1: (my preference). You should either use ID or use IncludedXPath, but not both together.
IncludedXPath and ExcludedXPath are both absolute, and they cannot use id functions.

Option 2:. Similar to option 1, i.e. you should either use ID or use IncludedXPath, and the XPaths are absolute.
However the XPath can use id() functions. E.g. ExcludedXPath can be id("foo")//bar , this will exclude all bar descendants of the subtree with id foo.

Option 3: You can use both ID and IncludedXPath, the result be a union of these two trees. This is similar to the XPath Filter 2 mode.
Note. The IncludedXPath is an absolute path, so it might select a completely different subtree from the ID subtree. Or one may be a child of the other. The result is that both subtrees are selected.

Option 4 (current): You can use both ID and IncludedXPath, and the XPaths are evaluated with the context set by the ID.

Option 5: Get rid of ID completely. If people want to use ID they can use the id() function in XPath. This way there is only a single mechanism for ids.

I say that we go for 1, because this cleanly separates the ID and XPath use cases. Most people will just use ID and not bother with XPath at all.
For the people who use XPaths, it doesn't make sense for them to use the id() function. XPaths help you prevent wrapping attacks that are possible with IDs, but if you use the id() function then you are back to the wrapping attacks. Also as I have mentioned, XPath 1.0 doesn't require you to recognize IDness in non DTD, so there are some XPath engines out there in which the id() only works with DTD ids, i.e. it is essentially broken. So for maximum interoperability applications should not use the id() function.

Pratik

Received on Monday, 13 December 2010 17:52:35 UTC