Re: Problem with canonical form? from Martin J. Duerst on 2001-01-06 (w3c-ietf-xmldsig@w3.org from January to March 2001)

From: Martin J. Duerst <duerst@w3.org>
Date: Sat, 06 Jan 2001 12:20:15 +0900
To: Rich Salz <rsalz@caveosystems.com>, Joseph Ashwood <jashwood@arcot.com>
Cc: w3c-ietf-xmldsig@w3.org, xml-uri@w3.org
Message-Id: <4.2.0.58.J.20010106120401.03a61a70@sh.w3.mag.keio.ac.jp>

[Cross-posting to xml-uri@w3.org. Sorry if this topic has
already been hashed throgh there.]

I agree. Namespaces are also not intended to contain actual data
such as payment information, and it's not ever agreed that the
namespace URI should point to an actual document, nor how the
document looks like, or that there would be only a single one.

So proposing to always include a namespace document when signing
is currently a non-starter.

But there are cases where it's not too difficult to imagine
that the namespace influences the meaning of the document.
Imagine that a DTD contains the following:

<!ELEMENT payment-amount #PCDATA> -- amount in Italian Lire --

and is changed to

<!ELEMENT payment-amount #PCDATA> -- amount in British Pounds --

So the question is how to make sure that a namespace cannot
easily be changed in such ways. This provides interesting
challenges in lots of ways, and some input into the namespace
and uri debate. It would definitely increase the stability
of the transaction against attacks if the DTD that contained
the above fragment could be singed.

Regards,   Martin.

At 01/01/05 18:25 -0500, Rich Salz wrote:
>No, I think this is another example that points out that the signature often
>must cover more than just the XML, but rather the stylesheets, etc., that
>are related to it.  I believe the XMLDSIG spec discusses this sufficiently.
>         /r$

The original posting, from Joseph Ashwood <jashwood@arcot.com>,
for completeness:

 >>>>
I've found a security risk in canonical XML that I believe needs to be
covered. Simply stated through example (with probably large portions of xml
left out):

...
<... namespace declaration...>
<agreement>I agree to pay the amount(s) shown in the namespace</agreement>
...

once signed, can be later altered simply by changing the namespace
declaration from reading "Purchase Barbie for 19.95" to "Purchase Ferrari
for 150,000". The effect being that instead of getting a charge of 19.95 on
the credit card, the charge becomes 150,000. We have seen these security
risks become reality with servers being continually hacked all across the
internet. I can think of no immediate solution outside of embedding the
namespace file in the canonical XML. I don't think this problem will go
away, it will just get worse.
                             Joe
<<<<

Received on Friday, 5 January 2001 22:20:41 UTC