W3C home > Mailing lists > Public > public-xmlsec@w3.org > January 2011

Re: XML Sig 2.0: What protection is gained by the <dsig2:IDAttributes> element?

From: Poehls, Henrich <hp@sec.uni-passau.de>
Date: Thu, 13 Jan 2011 11:47:42 +0100
To: "cantor.2@osu.edu" <cantor.2@osu.edu>
CC: "public-xmlsec@w3.org" <public-xmlsec@w3.org>, Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Message-ID: <81099CDE-B74F-47A1-9D49-DA6F143147BA@sec.uni-passau.de>
Dear Scott,
dear all,

>> A more security minded question: What attack/threat is <dsig2:IDAttributes>
>> protecting against?
> It doesn't. The inability to identify an ID causes false negatives, which
> are a denial of service of a sort, but not generally thought of as a
> security risk. It's a usability issue with the technology because there were
> no standard ways to identify IDs outside of DTD and schema use before xml:id
> existed.

OK, I am fine with that, I was not seeing any new security risks here, 
I rather did not see what it was good for in terms of security.
If it is a usability service only, I would suggest to clearly state this usability purpose in the standard, as for the other additions (<dsig2:DigestDataLength>, <dsig2:PositionAssertion>) I clearly see several security reasons for using them.

>> <dsig2:PositionAssertion>: I see this as an additional clue that the 
>> position of the data was important to the signer.
>> IMHO the signer should make this *explicit*
>> (as this is only optional) by using a selection statement that
>> incorporates the position i.e. XPath, instead of
>> using an ID-based selection.
> Not every situation allows for XPath, and SAML among many other specs relies
> exclusively on ID-based references because the thing being signed is a unit,
> can be moved around, and its position in the document as a whole is an issue
> for higher-level standards.

>From the security standpoint having an optional, ignorable <dsig:PositionAssertion> will always introduce new problems.
What if the validator ignored it, because it is "optional, even if the element is present" [XML DSIG DRAFT ], but the signer was aware that the message signed is indeed susceptible to an attack (i.e. knows that wrapping attacks could occur)?

I would like to see the verification of <dsig:PositionAssertion> not optional, so if a <dsig:PositionAssertion> is present, it must be verified.  
If, for whatever reason it stays optional, I would like to see the standard to provide a secure solution by adding something like the following and highlight it like a note:  
"In order to force a check of the position of a signed element during the verification process, the signer MUST use a <dsig2:Selection> element which MUST contain a <dsig2:IncludedXPathXPATH> for referencing." 

Best Regards,
Henrich C. Pöhls

PS: I was looking at http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/ W3C Editor's Draft from 04th of January 2011

> -- Scott

This email is:       [ ] private     [ ] ask before forwarding    [X] public

Dipl.-Inform. M.Sc. Info.-Security Henrich C. Poehls
Research Assistant
Institute of IT-Security and Security Law (ISL)
University of Passau, Innstr. 43, 94032 Passau, Germany
Room: 136
Tel: +49 851 - 509 3217
Received on Thursday, 13 January 2011 10:48:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:15 UTC