W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2001

RE: Problem with canonical form?

From: Philip Hallam-Baker <pbaker@verisign.com>
Date: Mon, 8 Jan 2001 10:35:30 -0800
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F40154C77A@vhqpostal.verisign.com>
To: "'Joseph Ashwood'" <jashwood@arcot.com>, w3c-ietf-xmldsig@w3.org
I don't think that a viable goal in a working group is to prevent people
from shooting themselves in the foot.

The spec says very clearly that you can trust only what is signed. If there
is a reference to another object the application must work out the degree to
which the referenced object is trustworthy.


There are two types of reference in XML

1) Semantics attached to the Signifier
	In this case the URI reference alone specifies the semantics. It is
not necessary to derefference the URI to understand the semantics. An
example of this type is a URN that specifies an ISBN or a bar code. It is
not necessary to get the can of beans to know that a can of beans is being
referred to (a prize for the first person to work out how to sign a can of
beans using RSA).

2) Semantics attached to the Signified
	In this case the reference itself is simply a method of obtaining a
piece of data. For example the target of an <IMG> tag.

In case (2) it is clearly desirable to authenticate the referenced data. In
case (1) the referenced data is not the issue and may not even be a digital
document.


The purpose of the Canonical XML document is not to describe what is known
in the formal methods literature as a canonical form, it does not guarantee
that all documents with the same semantics have the same syntactic
representation.

What Canonical XML actually does is to define a unique encoding of a typical
XML parse tree. This allows an XML Signature implementation to act on the
parsed representation rather than the actual encoding. But there are many
semantically equivalent parse trees that have different encodings. An
implementation could for example automatically unify all the namespace
prefixes since an application does not care whether it is s0:Signature or
xyz83759:Signature.


Canonicalization is not intended to provide additional security. It is
simply a protection against certain syntax transformations which may occur
during message processing.

Using XML Signature is not a substitute for a comprehensive security
evaluation of a protocol. The security implications of every transformation
have to be considered. If the signed object is f(x) the f(x) is what is
trustworthy. Applications have no business trusting x and a security aware
program design would ensure that the program modules requiring security
sensitive processing would ONLY see f(x) and be entirely unable to access x.

	Phill



> -----Original Message-----
> From: Joseph Ashwood [mailto:jashwood@arcot.com]
> Sent: Friday, January 05, 2001 5:39 PM
> To: w3c-ietf-xmldsig@w3.org
> Subject: Problem with canonical form?
> 
> 
> I've found a security risk in canonical XML that I believe needs to be
> covered. Simply stated through example (with probably large 
> portions of xml
> left out):
> 
> ...
> <... namespace declaration...>
> <agreement>I agree to pay the amount(s) shown in the 
> namespace</agreement>
> ...
> 
> once signed, can be later altered simply by changing the namespace
> declaration from reading "Purchase Barbie for 19.95" to 
> "Purchase Ferrari
> for 150,000". The effect being that instead of getting a 
> charge of 19.95 on
> the credit card, the charge becomes 150,000. We have seen 
> these security
> risks become reality with servers being continually hacked 
> all across the
> internet. I can think of no immediate solution outside of 
> embedding the
> namespace file in the canonical XML. I don't think this 
> problem will go
> away, it will just get worse.
>                             Joe
> 
Received on Monday, 8 January 2001 13:35:48 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:12 GMT