Re: Should we say anything on security? from James Clark on 2012-09-12 (public-microxml@w3.org from September 2012)

From: James Clark <jjc@jclark.com>
Date: Wed, 12 Sep 2012 13:01:27 +0700
To: liam@w3.org
Cc: public-microxml@w3.org
Message-ID: <CANz3_EZ0X2N1fGQOf03Qd=uk5nx=675dFCDTb71oqma+wqHGdw@mail.gmail.com>

On Wed, Sep 12, 2012 at 12:37 PM, Liam R E Quin <liam@w3.org> wrote:

>
> > 2. We should say something about the applicability of XML Digital
> > Signatures to MicroXML.
> > a) You need to use a MicroXML parser not an XML parser to construct the
> XML
> > DSig data model, because newlines in attribute values aren't normalized
> in
> > MicroXML
>
> Is this really enough of a reason to abandon the XML parser?

I think in some cases it could be.  It would allow an attacker to change a
newline to a space (and vice-versa) in an attribute value without affecting
the signature.  This could be very significant: imagine if you have some
JavaScript in the attribute value.

James

Received on Wednesday, 12 September 2012 06:02:15 UTC