Re: Reminder: WG actions needed on Best Practices before publication from Sean Mullan on 2008-09-22 (public-xmlsec@w3.org from September 2008)

From: Sean Mullan <Sean.Mullan@Sun.COM>
Date: Mon, 22 Sep 2008 16:53:47 -0400
To: Pratik Datta <pratik.datta@oracle.com>
Cc: "Hirsch Frederick (Nokia-OCTO/Boston)" <frederick.hirsch@nokia.com>, XMLSec WG Public List <public-xmlsec@w3.org>
Message-id: <48D805DB.3070504@sun.com>

Pratik Datta wrote:
> There is some ambiguity around the "RetrievalMethod"
> 
> The spec says that
> 
> "The result of dereferencing a |RetrievalMethod| |Reference <#sec-URI>| 
> for all |KeyInfo| types defined by this specification <#sec-KeyInfo> 
> (section 4.4) with a corresponding XML structure is an XML element or 
> document with that element as the root"
> 
> My interpretation is that a RetrievalMethod can point to a KeyInfo type, 
> and one of the KeyInfo types is RetrievalMethod.  So doesn't this imply 
> reference chaining? Because effectively a RetrievalMethod is pointing to 
> another RetrievalMethod , which can point to yet another one and so on.

But RetrievalMethod is not one of the valid KeyInfo types that 
RetrievalMethod can refer to (see section 4.4):

The following list summarizes the KeyInfo types that are allocated an 
identifier in the &dsig;  namespace; these can be used within the 
RetrievalMethod Type attribute to describe a remote KeyInfo structure.

     * http://www.w3.org/2000/09/xmldsig#DSAKeyValue
     * http://www.w3.org/2000/09/xmldsig#RSAKeyValue
     * http://www.w3.org/2000/09/xmldsig#X509Data
     * http://www.w3.org/2000/09/xmldsig#PGPData
     * http://www.w3.org/2000/09/xmldsig#SPKIData
     * http://www.w3.org/2000/09/xmldsig#MgmtData

--Sean

> 
> 
> Pratik
> 
> Sean Mullan wrote:
>>
>>
>> Hirsch Frederick (Nokia-OCTO/Boston) wrote:
>>>
>>> All
>>>
>>> We have some items to complete before publishing the Best Practices 
>>> as a first working draft.
>>> If we can complete these items before 7 October, then we can agree at 
>>> that meeting to the changes, incorporate them before the F2F and 
>>> agree to publish during the F2F (unless we are able to agree to 
>>> publish on 7 October).
>>>
>>> 1) Please review the current Best Practices draft so that we can 
>>> approve as working draft for publication. Please post any comments to 
>>> the list by next week.
>>>
>>> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
>>
>> A couple of comments on section 2.1.3
>>
>> I don't understand how an implementation would process this 
>> RetrievalMethod recursively in an endless loop. I think a valid 
>> implementation should dereference the any RetrievalMethod once, pass 
>> the result through transforms and return the resulting XML Structure 
>> (or KeyInfo if it is one of the types in [1]). I think that in order 
>> for this attack to succeed, the reference processing model would need 
>> to support reference chaining, but AFAICT it doesn't allow that.
>>
>> Also, there is a duplicate best practice #5 in this section. (Section 
>> 2.1.2 contained best practice #5).
>>
>> --Sean
>>
>> [1] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-KeyInfo
>>
>

Received on Monday, 22 September 2008 20:54:25 UTC