Re: Reminder: WG actions needed on Best Practices before publication

Hirsch Frederick (Nokia-OCTO/Boston) wrote:
> 
> All
> 
> We have some items to complete before publishing the Best Practices as a 
> first working draft.
> If we can complete these items before 7 October, then we can agree at 
> that meeting to the changes, incorporate them before the F2F and agree 
> to publish during the F2F (unless we are able to agree to publish on 7 
> October).
> 
> 1) Please review the current Best Practices draft so that we can approve 
> as working draft for publication. Please post any comments to the list 
> by next week.
> 
> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/

A couple of comments on section 2.1.3

I don't understand how an implementation would process this 
RetrievalMethod recursively in an endless loop. I think a valid 
implementation should dereference the RetrievalMethod once, pass the 
result through any transforms and return the resulting XML Structure (or 
KeyInfo if it is one of the types in [1]). I think that in order for 
this attack to succeed, the reference processing model would need to 
support reference chaining, but AFAICT it doesn't allow that.

Also, there is a duplicate best practice #5 in this section. (Section 
2.1.2 contained best practice #5).

--Sean

[1] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-KeyInfo

Received on Monday, 22 September 2008 20:21:55 UTC