- From: Juan Carlos Cruellas <cruellas@ac.upc.edu>
- Date: Mon, 13 Oct 2008 14:13:23 +0200
- To: xml sec public <public-xmlsec@w3.org>
Frederick, Thanks for the message, and again, my appologies for missplacing my comments...I see now that the administrative page has all the links to the draft documents, so I hope this does not happen again.... As for your reactions, please see below intermixed. Frederick Hirsch escribió: > > Juan Carlos > > Thanks for reviewing the best practices document > > I believe your comment is in the following document you uploaded: > http://www.w3.org/2008/xmlsec/Drafts/best-practices/comments-bhill-jcc.html > > The comment is in section 2.1 before the first best practice and is: > "[jcc: I think that best practices 1 and 3 overlap somehow, as they > seem to mix two concepts: "authentication" of the signer, and trust in > that signer. I would also say that the header of best practice 1 is a > does not completely match the content, as its content actually speaks > of trust not of authentication. My proposal would be to change the > header of best practice 1 to: "Mitigate denial of service attacks by > executing potentially dangerous operations only after establishing > trust in the signer key". After that I would suppress best practice 3. ]" > Thus in the latest editors draft > http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/ > I believe your proposal is: > 1. change the title of best practice 1 to: "Mitigate denial of service > attacks by executing potentially dangerous operations only after > establishing trust in the signer key" > 2. remove best practice 2: Best Practice 2: Establish trust in the > verification/validation key. > However I think the intent of best practice 1 was to indicate > verification of the signature on SignedInfo before validating > references and #2 was to also remind to verify keys, thus I suggest we > do not make the change you suggest, since #1 did include signature > verification and #2 is important to call out the importance of key > verification. > regards, Frederick > Mmmmm, I see the point that you make, but I still see in BP1 text related to establishing trust. Take a look to the following pieces: "Validate the ds:Reference elements for a signature only after establishing trust, for example by verifying the key and validating ds:SignedInfo first." "1. /Step 1/ fetch the verification key and establish trust in that key" "But by step 3, the entire Signed info has been authenticated, and so all the URIs and transforms in the SignedInfo can be attributed to a responsible party. However an implementation may still choose to disallow these operations even in step 3, if the party is not trusted to perform them." Now, taking your point: that "the intent of best practice 1 was to indicate verification of the signature on SignedInfo before validating references", may I suggest then the following: 1. Convert BP 2 to BP1. Rationale, we establish since the very beginnign this issue. 2. Rename BP1 title so that it actually reads what you mention: "Mitigate denial of service attacks by validating the references (that might imply potentially dangerous operations ) only after the verification of SignedInfo has been completed" Does it seem reasonable? Regards Juan Carlos. > Frederick Hirsch > Nokia > > > > On Oct 7, 2008, at 11:16 AM, ext Juan Carlos Cruellas wrote: > >> >> Dear all, >> >> I have posted a reviewed version of the best practices documents with >> one comment as reported in the message below: >> >> http://lists.w3.org/Archives/Member/member-xmlsec-commits/2008Oct/0004.html >> >> >> This should be close action 58 on myself. >> >> Regards >> >> Juan Carlos. >> >> >> >> > >
Received on Monday, 13 October 2008 12:15:35 UTC