W3C home > Mailing lists > Public > public-xmlsec@w3.org > June 2010

Re: ACTION-578: External unparsed entities in Best Practices

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 1 Jun 2010 13:01:05 +0200
Cc: XMLSec WG Public List <public-xmlsec@w3.org>
Message-Id: <D960D0DD-AD25-4376-938C-FD232F35ED7D@w3.org>
To: Thomas Roessler <tlr@w3.org>
Per ACTION-582, I've made the requisite edits to the best practices document.
http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







On 11 May 2010, at 17:07, Thomas Roessler wrote:

> Here's a text suggestion around external unparsed entities:
> 	
>> Resolving external unparsed entity references can imply network access and can in certain circumstances be a security concern for signature verifiers. As a policy decision, signature verifiers may choose not to resolve such entities, leading to a loss of interoperability.
>> 
>> Best practice for signers:
>> 
>> Do not transmit unparsed external entity references in signed material.  Expand all entity references before creating the cleartext that is transmitted.
> 
> Here's a suggestion around schema, replacing 2.7 and 2.8:
> 
>> Part of the validation process defined by XML Schema includes the "normalization" of lexical values in a document into a "schema normalized value" that allows schema type validation to occur against a predictable form.
>> 
>> Some implementations of validating parsers, particular early ones, often modified DOM information "in place" when performing this process. Unless the signer also performed a similar validation process on the input document, verification is likely to fail. Newer validating parsers generally include an option to disable type normalization, or take steps to avoid modifying the DOM, usually by storing normalized values internally alongside the original data.
>> 
>> Verifiers should be aware of the effects of their chosen parser and adjust the order of operations or parser options accordingly. Signers might also choose to operate on the normalized form of an XML instance when possible.
>> 
>> Additionally, validating processors will add default values taken from an XML schema to the DOM of an XML instance.
>> 
>> 
>> Best practice for signers:
>> 
>> Do not rely on a validating processor on the consumer's end to normalize XML document. Instead, explicitly include default attribute values, and use normalized attributes when possible.
>> 
>> Best practice for verifiers:
>> 
>> Applications relying on validation should either consider verifying signatures before schema validation, or select implementations that can avoid destructive DOM changes while validating.
>> 
> 
> (That concludes my action; comments more than welcome.)
> --
> Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)
> 
> 
> 
> 
> 
> 
> 
Received on Tuesday, 1 June 2010 11:01:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 June 2010 11:01:13 GMT