W3C home > Mailing lists > Public > www-ws-arch@w3.org > August 2002

RE: Security Question -XML Schema Default Attribute handling

From: Ahmed, Zahid <zahid.ahmed@commerceone.com>
Date: Mon, 5 Aug 2002 11:58:21 -0700
Message-ID: <C1E0143CD365A445A4417083BF6F42CC02F891A1@C1plenaexm07.commerceone.com>
To: www-ws-arch@w3.org
There are quite a fews ways to answer the attached question.
 
The general answer is that if a particular XML document needs to be secured
(e.g.,
signed using W3C XML DSIG and encrypted using W3C XML ENC) and it has
certain
default attributes defined in its XML schema defintion, then the default
values of tje
attributes are set (via an attribute normalization step) at parsing time,
e.g., when 
a DOM (Level 2) tree representation is created for the XML document
instance. This
DOM tree is processed by the required canonicalization algorihm.
 
However, attribute normization is a parser issue, i.e., parser should run in
well-formed and validartion mode typically *before* security operation is
invoked.
Any parser that claims conformance to XML 1.0 has to do attribute
normization as 
specified therein. Hence, the signature generation operation has to rely on
the parser 
for this step.
 
Now, there are some interesting issues w.r.t. this problem. E.g., I believe
W3C
XML DSIG supports use of C14N canonicalization algorithm. However, C14N has
no knowledge of XML Schema, i.e., it is schema-unaware. To address this 
shortcoming I believe there was some work done in the area of schema
validation 
transform for XML DSIG such that it could force the document-to-be-signed
(and
subsequently encrypted..) to go through a schema validation step; this way
you 
can handle propagation of default attributes. Exclusive canonicalization may
help when it applies to a XML Schema syntax. 
 
Lastly I know the default attribute issue was extensively discussed in the
UDDI Security working group. I think the consensue there was to transfer 
all the default attribute and white-space handling reqmnts to Exclusive 
canonicalization effort in W3C.... 
 
 
thanks,
Zahid Ahmed 
Commerce One, Inc. 
 
 
 
 
 
 
 
 

-----Original Message-----
From: Cutler, Roger (RogerCutler) [mailto:RogerCutler@ChevronTexaco.com]
Sent: Monday, August 05, 2002 11:18 AM
To: www-ws-arch@w3.org <mailto:www-ws-arch@w3.org> 
Subject: Security Question



I've got a question about security that may reflect some misconception on my
part -- but here goes anyway: 

I think that the XML payload of the response from a web service -- or indeed
I suppose the message that invokes it -- may be validated by a schema.  If
so, that schema can add data via defaults and/or fixed values.  How is this
secured?

Let me be more specific with a contrived example:  Suppose we are purchasing
widgets via a web service and in the XML document you specify "1" for the
amount to purchase.  However, suppose the schema has a default value of
"Each" that explains the meaning of the "1".  Now suppose that either from
malicious tampering or through the use of a schema intended for a different
audience that default (which is on the seller side) is changed to "dozen".
Now the "1" really means 12 items, which is a lot more expensive.

This is obviously contrived and dumb, but I think it illustrates the fact
that schemas can affect data. 

So how is this secured?  Can the buyer in the context of the message
unambiguously specify what schema must be used for validation and have some
sort of check that it was the right one?  Can it be secured?
Received on Monday, 5 August 2002 14:58:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:03 GMT