W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2001

Problem with canonical form?

From: Joseph Ashwood <jashwood@arcot.com>
Date: Fri, 5 Jan 2001 14:39:23 -0800
Message-ID: <011c01c07768$c9b5e8a0$2a0210ac@livermore>
To: <w3c-ietf-xmldsig@w3.org>
I've found a security risk in canonical XML that I believe needs to be
covered. Simply stated through example (with probably large portions of xml
left out):

<... namespace declaration...>
<agreement>I agree to pay the amount(s) shown in the namespace</agreement>

once signed, can be later altered simply by changing the namespace
declaration from reading "Purchase Barbie for 19.95" to "Purchase Ferrari
for 150,000". The effect being that instead of getting a charge of 19.95 on
the credit card, the charge becomes 150,000. We have seen these security
risks become reality with servers being continually hacked all across the
internet. I can think of no immediate solution outside of embedding the
namespace file in the canonical XML. I don't think this problem will go
away, it will just get worse.
Received on Friday, 5 January 2001 17:43:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:35 UTC