Re: How to deal with null references? from Karel Wouters on 2010-05-11 (public-xmlsec@w3.org from May 2010)

From: Karel Wouters <karel.wouters@esat.kuleuven.be>
Date: Tue, 11 May 2010 18:15:19 +0200
To: Thomas Roessler <tlr@w3.org>
CC: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>, XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <4BE98297.8010304@esat.kuleuven.be>

Indeed; it's related to WYSIWYS.
Maybe this can go in the best practises document.

There's one aspect that is different in the null case:

If a developer wants to indicate the part of an XML document that was
signed, by highlighting it, in the null case, nothing gets highlighted,
and the user might interpret this as "OK, everything is signed".

So if null is signed, the signature is OK, but we may want to advice
that this should raise a warning flag/popup/whatever.

best,

Karel.


On 11/05/2010 17:49, Thomas Roessler wrote:
> Isn't this another instance of the more general effect that one shouldn't trust anything -- except for what one gets out of, e.g., evaluating a particular xpath?
> 
> The real problem in the scenario you describe seems to be that neither side verifies that the xpath is what it's believed to be.
> --
> Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)
> 
> 
> 
> 
> 
> 
> 
> On 11 May 2010, at 17:46, Meiko Jensen wrote:
> 
>> Within the discussion on the XPath referencing style I remembered an
>> issue we came across lately:
>>
>> If an XPath contains syntactical errors, this does not result in a
>> visible error. It is only treated differently, and might just result in
>> referencing no node in the actual XML document. If that is not
>> considered as an error in the XML Signature specification, there is a
>> threat of someone screwing it up without noticing. Even the verifier
>> does not notice: nothing was referenced, so the digest is calculated
>> about the empty nodeset, hence about "". As this was exactly the same
>> input as at the signer side, hash values match => signature is valid.
>> However, it protects nothing in the document from modification.
>>
>> Hence, I recommend putting a sentence to XML Signature 2.0 stating that
>> a reference to an empty nodeset MUST be treated as a fault.
>>
>> best regards
>>
>> Meiko
>>
>> --
>> Dipl.-Inf. Meiko Jensen
>> Chair for Network and Data Security
>> Horst Görtz Institute for IT-Security
>> Ruhr University Bochum, Germany
>> _____________________________
>> Universitätsstr. 150, Geb. IC 4/150
>> D-44780 Bochum, Germany
>> Phone: +49 (0) 234 / 32-26796
>> Telefax: +49 (0) 234 / 32-14347
>> http:// www.nds.rub.de
>>
>>
>>
> 
> 
> 
> http://www.ibbt.be/en/disclaimer

Received on Tuesday, 11 May 2010 16:15:59 UTC