- From: Poehls, Henrich <hp@sec.uni-passau.de>
- Date: Thu, 13 Jan 2011 11:47:42 +0100
- To: "cantor.2@osu.edu" <cantor.2@osu.edu>
- CC: "public-xmlsec@w3.org" <public-xmlsec@w3.org>, Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Dear Scott, dear all, >> A more security minded question: What attack/threat is <dsig2:IDAttributes> >> protecting against? > > It doesn't. The inability to identify an ID causes false negatives, which > are a denial of service of a sort, but not generally thought of as a > security risk. It's a usability issue with the technology because there were > no standard ways to identify IDs outside of DTD and schema use before xml:id > existed. OK, I am fine with that, I was not seeing any new security risks here, I rather did not see what it was good for in terms of security. If it is a usability service only, I would suggest to clearly state this usability purpose in the standard, as for the other additions (<dsig2:DigestDataLength>, <dsig2:PositionAssertion>) I clearly see several security reasons for using them. >> <dsig2:PositionAssertion>: I see this as an additional clue that the >> position of the data was important to the signer. >> IMHO the signer should make this *explicit* >> (as this is only optional) by using a selection statement that >> incorporates the position i.e. XPath, instead of >> using an ID-based selection. > > Not every situation allows for XPath, and SAML among many other specs relies > exclusively on ID-based references because the thing being signed is a unit, > can be moved around, and its position in the document as a whole is an issue > for higher-level standards. >From the security standpoint having an optional, ignorable <dsig:PositionAssertion> will always introduce new problems. What if the validator ignored it, because it is "optional, even if the element is present" [XML DSIG DRAFT ], but the signer was aware that the message signed is indeed susceptible to an attack (i.e. knows that wrapping attacks could occur)? I would like to see the verification of <dsig:PositionAssertion> not optional, so if a <dsig:PositionAssertion> is present, it must be verified. If, for whatever reason it stays optional, I would like to see the standard to provide a secure solution by adding something like the following and highlight it like a note: "In order to force a check of the position of a signed element during the verification process, the signer MUST use a <dsig2:Selection> element which MUST contain a <dsig2:IncludedXPathXPATH> for referencing." Best Regards, Henrich C. Pöhls PS: I was looking at http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/ W3C Editor's Draft from 04th of January 2011 > -- Scott > > > -- This email is: [ ] private [ ] ask before forwarding [X] public Dipl.-Inform. M.Sc. Info.-Security Henrich C. Poehls Research Assistant Institute of IT-Security and Security Law (ISL) University of Passau, Innstr. 43, 94032 Passau, Germany Room: 136 Tel: +49 851 - 509 3217 <http://web.sec.uni-passau.de/members/henrich>
Received on Thursday, 13 January 2011 10:48:14 UTC