W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2001

Re: ID/DTD/c14n/dsig mischief?

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Thu, 26 Jul 2001 22:59:18 -0400
Message-Id: <200107270259.WAA0000054708@torque.pothole.com>
To: Thomas Maslen <maslen@dstc.edu.au>
cc: "John Boyer" <JBoyer@PureEdge.com>, w3c-ietf-xmldsig@w3.org
You're right that securing XML in the general case isn't easy. It's one
reason for things like Section 7.1 of the specification.

Donald

From:  Thomas Maslen <maslen@dstc.edu.au>
Message-Id:  <200107130825.f6D8PC402131@piglet.dstc.edu.au>
To:  "John Boyer" <JBoyer@PureEdge.com>
cc:  w3c-ietf-xmldsig@w3.org
In-reply-to:  Your message of "Thu, 12 Jul 2001 10:34:39 MST."
              <7874BFCCD289A645B5CE3935769F0B520C341F@tigger.PureEdge.com> 
Date:  Fri, 13 Jul 2001 18:25:20 +1000
       
>> My immediate reaction to any omission of data is 'document closure',
>> i.e. if an article of data is necessary to the interpretation of a
>> document, then don't omit it.  
>
>Yes.
>
>> It often happens that only the application designer is capable of 
>> fully assessing this.
>>
>> In the case of the DTD, either design the application so that the DTD is
>> largely superfluous or, if it is needed, then find a way to include it
>> in the signature, even if C14N excludes it.
>
>This is the bit that worries me:  is there a danger that only a handful of 
>people have the necessary competence to use this specification correctly?
>In particular, my guess is that an application designer, even one with a
>security background, will be hard put not to stumble into security traps
>caused by XML nuances.  The guidance in the Security Considerations section
>is very good, but it may have to cover a lot more territory still if we're 
>to have a better than even chance of getting people to produce secure 
>applications.
>
>> One could put a Reference to the dtd file and an Object containing a 
>> copy of the internal DTD subset in the signature before signing.  After 
>> a core signature validation, the application could check to make sure 
>> that no change of DTD occured.
>
>Fair enough.  I had thought of the (non-XML) signature over the external DTD
>but hadn't thought of including a copy of the internal DTD as PCDATA or CDATA;
>neat.  
>
>However, doing this requires going well outside what DOM 2 provides, and 
>maybe even outside what SAX 2 provides, which seems to go against the efforts
>in dsig and particularly c14n to use information that is preserved by SAX and
>DOM.
>
>[I've just had the pleasure of writing the character-munging code to copy the
>DTD from the original version to the edited version of a document that is
>being massaged by SAX or DOM;  all I have to say is bah humbug].
>
>I'm not sure about the feasibility of this:
>
>> either design the application so that the DTD is largely superfluous [...]
>
>because ID attributes are awfully useful if the graph is anything more fancy
>than a tree.
>
>Can we state a sufficient set of conditions for a language/DTD to be safe?
>(I'm not sure that _I_ can -- the ID-attribute hack was the obvious one 
>that occurred to me, but are there more subtle possibilities involving e.g. 
>whitespace normalization in different attribute types?).
>
>I've also been wondering about XML Schema.  In some ways the situation is a
>lot better than with DTDs, because 
>
>    (a)	it's easy to sign schema info because it is expressed as XML elements
 
>	(hence visible in SAX and DOM), and 
>
>    (b)	xsi:schemalocation attributes are a hint that a schema processor is 
>	free (even encouraged?) to ignore.  
>
>On the other hand, it seems as though you could have some fun if you knew that 
>the signer's schema processor did honour xsi:schemalocation and the verifier's 
>schema processor did not, or vice versa.
>
>Thomas Maslen
>DSTC
>
Received on Thursday, 26 July 2001 23:00:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:36 UTC