W3C home > Mailing lists > Public > public-xmlsec@w3.org > March 2011

Re: ACTION 772: Add wording about using IncludedXPath in favor of PositionAssertion

From: <Frederick.Hirsch@nokia.com>
Date: Tue, 8 Mar 2011 15:02:13 +0000
To: <cantor.2@osu.edu>
CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>
Message-ID: <76631710-CC35-4CC8-9E4D-B544B52CCE22@nokia.com>
should the first sentence read "signers" instead of "verifiers"?


> While using the PositionAssertion feature allows more flexibility in
> accomodating XPath-unaware verifiers



regards, Frederick

Frederick Hirsch
Nokia



On Mar 7, 2011, at 7:34 PM, ext Cantor, Scott E. wrote:

> My recollection of this issue was that we wanted to urge applications to
> favor XPath for selection over XPath for verification because the latter
> is optional for the verifier, so would lead to wrapping attacks even if
> the PositionAssertion feature were used.
> 
> So I suggest adding the following text to section 10.7.2 of the Feb 7th WD
> of Sig 2.0:
> 
> "While using the PositionAssertion feature allows more flexibility in
> accomodating XPath-unaware verifiers, applications SHOULD favor the use of
> XPath-based selection via the dsig2:IncludedXPath element over the use of
> this feature in most cases. Because verification of the PositionAssertion
> is formally optional, verifiers may become subject to positional wrapping
> attacks (Reference?) if they choose to ignore the assertion. This feature
> is appropriately mainly in applications in which knowledge of the
> verifier's support for the feature can be assured."
> 
> -- Scott
> 
> 
Received on Tuesday, 8 March 2011 15:03:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 15:03:05 GMT