W3C home > Mailing lists > Public > public-xmlsec@w3.org > March 2011

ACTION 772: Add wording about using IncludedXPath in favor of PositionAssertion

From: Cantor, Scott E. <cantor.2@osu.edu>
Date: Tue, 8 Mar 2011 00:34:25 +0000
To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <C99AE3C1.5F4E%cantor.2@osu.edu>
My recollection of this issue was that we wanted to urge applications to
favor XPath for selection over XPath for verification because the latter
is optional for the verifier, so would lead to wrapping attacks even if
the PositionAssertion feature were used.

So I suggest adding the following text to section 10.7.2 of the Feb 7th WD
of Sig 2.0:

"While using the PositionAssertion feature allows more flexibility in
accomodating XPath-unaware verifiers, applications SHOULD favor the use of
XPath-based selection via the dsig2:IncludedXPath element over the use of
this feature in most cases. Because verification of the PositionAssertion
is formally optional, verifiers may become subject to positional wrapping
attacks (Reference?) if they choose to ignore the assertion. This feature
is appropriately mainly in applications in which knowledge of the
verifier's support for the feature can be assured."

-- Scott
Received on Tuesday, 8 March 2011 00:34:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 00:34:56 GMT