W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2007

RE: Antwort: RE: AW: XML Signature - Request for clarification [Virus checked]

From: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
Date: Thu, 9 Aug 2007 14:25:02 +0100
To: "Marcus.Ertel@Extern.Sparkassen-Informatik.de" <Marcus.Ertel@Extern.Sparkassen-Informatik.de>
CC: "Heiko.Dittmann@Sparkassen-Informatik.de" <Heiko.Dittmann@Sparkassen-Informatik.de>, "Konrad.Lanz@iaik.tugraz.ac.at" <Konrad.Lanz@iaik.tugraz.ac.at>, Marcus Ertel <m.ertel@gmx.com>, "public-xmlsec-maintwg@w3.org" <public-xmlsec-maintwg@w3.org>, Tom Gindin <tgindin@us.ibm.com>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org>
Message-ID: <6CF75D3DC659834C980077A2E31582BE09B9D360B9@EA-EXMSG-C310.europe.corp.microsoft.com>
One of the questions you should ask yourself is why you don't do the actual node selection in the ds:Transforms anyway? I would expect that with the approach you're following here, you're calling for trouble. If you want to select multiple subtrees in the document, I would select the whole document's xpath node set  in the URI="" and do the filtering in the Transforms anyway. Using a URI like #xpointer(//*[@authenticate='true'])may not be supported by many XML Signature toolkits, as that's not a requirement for a toolkit to call itself "XML Signature 1.0 compliant". So when you want to work with different toolkits, that's a recipe for trouble. When you only intend to use a single toolkit, you should actually just do what that particular toolkit understands.


Best regards,
Christian

Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany
Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066
http://www.microsoft.com/emic/

From: Marcus.Ertel@Extern.Sparkassen-Informatik.de [mailto:Marcus.Ertel@Extern.Sparkassen-Informatik.de]
Sent: Donnerstag, 9. August 2007 14:56
To: Christian Geuer-Pollmann
Cc: Heiko.Dittmann@Sparkassen-Informatik.de; Konrad.Lanz@iaik.tugraz.ac.at; Marcus Ertel; public-xmlsec-maintwg@w3.org; Tom Gindin; w3c-ietf-xmldsig@w3.org
Subject: Antwort: RE: AW: XML Signature - Request for clarification [Virus checked]


Hi all,

I'm not yet convinced that Christian's point of view is completely correct: While the signature lib has full  access to the Reference URI, this doesn't necessarily mean that everything passed as an URI is correct in terms of the RFCs that describe what a Reference URI  is supposed to look like. Briefly: The direct access to the data doesn't make them "legal", it only eases processing for less strict libraries.

Regards,
Marcus




Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>

09.08.2007 14:31

An

Tom Gindin <tgindin@us.ibm.com>, Marcus Ertel <m.ertel@gmx.com>

Kopie

"Heiko.Dittmann@Sparkassen-Informatik.de" <Heiko.Dittmann@Sparkassen-Informatik.de>, "Konrad.Lanz@iaik.tugraz.ac.at" <Konrad.Lanz@iaik.tugraz.ac.at>, "Marcus.Ertel@Extern.Sparkassen-Informatik.de" <Marcus.Ertel@Extern.Sparkassen-Informatik.de>, "public-xmlsec-maintwg@w3.org" <public-xmlsec-maintwg@w3.org>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org>

Thema

RE: AW: XML Signature - Request  for clarification [Virus checked]








As I said: The attribute's text value is not sent to an HTTP server as GET URL where everything needs to be escaped properly, but processed by an XML Signature library which has full and direct access to the xmlAttribute.Value property, so I don't see a need to escape anything here.


Best regards,
Christian

Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany
Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066
http://www.microsoft.com/emic/

-----Original Message-----
From: Tom Gindin [mailto:tgindin@us.ibm.com]
Sent: Donnerstag, 9. August 2007 14:27
To: Marcus Ertel; Christian Geuer-Pollmann
Cc: Heiko.Dittmann@Sparkassen-Informatik.de; Konrad.Lanz@iaik.tugraz.ac.at; Marcus.Ertel@Extern.Sparkassen-Informatik.de; public-xmlsec-maintwg@w3.org; w3c-ietf-xmldsig@w3.org
Subject: Re: AW: XML Signature - Request for clarification [Virus checked]

       Christian:

       How does a complete absence of escape processing for the Reference
attribute square with XMLDSIG section 4.3.3.1?  That section says (point
2) that "some Unicode characters are disallowed from URI references
including all non-ASCII characters and the excluded characters listed in
RFC2396 [URI, section 2.4].  However, the number sign (#), percent sign
(%), and square bracket characters re-allowed in RFC 2732 [URI-Literal]
are permitted."  None of the characters in Marcus' example need to be
escaped, and the test vectors explicitly show solidus and apostrophe as
not being escaped.  But don't angle brackets and double quotation marks
need to be escaped?

               Tom Gindin




"Marcus Ertel" <m.ertel@gmx.com>
Sent by: w3c-ietf-xmldsig-request@w3.org
08/08/2007 04:32 PM

To
"'Christian Geuer-Pollmann'" <Christian.Geuer-Pollmann@microsoft.com>,
<Marcus.Ertel@Extern.Sparkassen-Informatik.de>,
<public-xmlsec-maintwg@w3.org>
cc
<w3c-ietf-xmldsig@w3.org>, <Konrad.Lanz@iaik.tugraz.ac.at>,
<Heiko.Dittmann@Sparkassen-Informatik.de>
Subject
AW: XML Signature - Request  for clarification [Virus checked]







Christian,
thanks for your quick response! Well, this looks like quite a
straightforward solution to a tedious problem. I remember that I came
across
a hint into the direction that you describe when my research led me into
the
Javadocs of the URLEncoder class that produces the (in our case) wrong
output (an ISV's library required the Referene URI be RFC 2396 compliant).
-
But I just couldn't (and almost still can't) imagine a solution this easy,
because there were long and very qualified discussions with ISVs,
suppliers
of JCE's and even the German section of the W3C regarding the handling of
the Reference URI.

Anyway, I'm glad that this issue looks solved now. And maybe there'll be
more contributions to this discussion by the other addressees of your
mail...?

Thanks again and best regards!
Marcus

> -----Ursprüngliche Nachricht-----
> Von: Christian Geuer-Pollmann
> [mailto:Christian.Geuer-Pollmann@microsoft.com]
> Gesendet: Mittwoch, 8. August 2007 21:09
> An: Marcus.Ertel@Extern.Sparkassen-Informatik.de;
> public-xmlsec-maintwg@w3.org
> Cc: w3c-ietf-xmldsig@w3.org; Konrad.Lanz@iaik.tugraz.ac.at;
> m.ertel@gmx.com; Heiko.Dittmann@Sparkassen-Informatik.de
> Betreff: RE: XML Signature - Request for clarification [Virus checked]
>
> Marcus,
>
>
>
> your first example
>
>
>
>    <Reference URI="#xpointer(//*[@authenticate='true'])">
>
>
>
> is correct. The other thing *would* be the escape sequence
> which you need when sensing the URI as part of a GET request
> to some web server, i.e. when the URI would be consumed and
> cracked by an HTTP server. That is not the case at XML
> Signature: the @URI attribute here is processed by an XML
> Signature library, which does not expect that escaping. Doing
> RFC2396 escaping in a ds:Reference/@URI is wrong (and just
> feeding that into a concrete implementation should actually
> give you that answer with some nice exception J).
>
>
>
> Best regards,
>
> Christian
>
>
>
> Europäisches Microsoft Innovations Center GmbH, Ritterstrasse
> 23, D-52072 Aachen, Germany
>
> Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff;
> Amtsgericht Aachen, HRB 12066
>
> http://www.microsoft.com/emic/ <http://www.microsoft.com/emic/>
>
>
>
> From: w3c-ietf-xmldsig-request@w3.org
> [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of
> Marcus.Ertel@Extern.Sparkassen-Informatik.de
> Sent: Montag, 6. August 2007 14:26
> To: public-xmlsec-maintwg@w3.org
> Cc: w3c-ietf-xmldsig@w3.org; Konrad.Lanz@iaik.tugraz.ac.at;
> m.ertel@gmx.com; Heiko.Dittmann@Sparkassen-Informatik.de
> Subject: XML Signature - Request for clarification [Virus checked]
>
>
>
>
> Ladies and Gentlemen:
>
> Let me start with a brief introduction of the issue that
> makes me ask for a clarification from your side.
> My name is Marcus Ertel and I am with "Sparkassen
> Informatik", one of the biggest IT service providers in
> Germany. We are currently busy introducing the new money
> transfer standard EBICS (Electronic Banking Internet
> Communication Standard; please see
> <http://www.ebics-zka.de/english/spec/specification_en.htm>)
> which relies heavily on XML and particularly XML Signature.
>
> The various implementations of EBICS raised a discussion
> concerning the handling of the Reference URI in the
> SignedInfo element of an XML signature. The issue is, quite
> briefly, as follows:
>
> The XML data of an EBICS message contain a <SignedInfo>
> element with a <Reference URI> that contains an XPointer:
>
>         <Reference URI="#xpointer(//*[@authenticate='true'])">
>
> Now there's an ongoing discussion about the handling of this
> URI before the calculation of the XML Signature. One opinion
> is as follows:
> In order to obtain a valid, RFC 2396 compliant URI, parts of
> the Reference URI have to be escaped properly. Hence, the URI
> fed into the signature process is as follows:
>
> <Reference
> URI="#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)">
>
> On the other hand, there is quite the opposite opinion. Its
> proponents say that no escaping at all is necessary, because
> the URI consists of just an XPointer. And as all the
> candidates for escaping are parts of this XPointer, they do
> not infringe the requirements of RFC 2396.
>
> Could you please kindly advise on how to process this special
> URI? We need this clarification because there are ISV's
> providing the German banking software market with these two
> implementations of the XML Signature standard. This in turn
> leads to products unable to cope with each other while all of
> them claim to be compliant with the XML Signature standard.
>
> Thank you very much in advance and best regards from Munich
>
> Marcus Ertel, Sparkassen Informatik
>
> Sparkassen Informatik GmbH & Co.KG
> Richard-Reitzner-Allee 8
> 85540 München / Haar
>
> _____________________________________________________________________
>
> Sparkassen Informatik GmbH & Co. KG, Theodor-Heuss-Allee 90,
> D 60486 Frankfurt a.M.
> Amtsgericht Frankfurt a.M. HRA 30059;
> Aufsichtsratsvorsitzender: Dr. Rolf Gerlach; Persönlich
> haftende Gesellschafterin: Sparkassen Informatik
> Verwaltungsgesellschaft mbH, Sitz: Frankfurt a.M.,
> Amtsgericht Frankfurt a.M. HRB 52289, Geschäftsführer:
> Fridolin Neumann (Vorsitzender), Franz-Theo Brockhoff (stv.
> Vorsitzender), Werner Brunner (stv. Vorsitzender), Uwe
> Katzenburg (stv. Vorsitzender), Willi Bär, Harald Lux;
> Internet: http://www.sparkassen-informatik.de, E-Mail:
> kontakt@sparkassen-informatik.de
>
>
Received on Thursday, 9 August 2007 13:25:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 9 August 2007 13:25:18 GMT