- From: Sean Mullan <Sean.Mullan@Sun.COM>
- Date: Mon, 22 Sep 2008 16:53:47 -0400
- To: Pratik Datta <pratik.datta@oracle.com>
- Cc: "Hirsch Frederick (Nokia-OCTO/Boston)" <frederick.hirsch@nokia.com>, XMLSec WG Public List <public-xmlsec@w3.org>
Pratik Datta wrote: > There is some ambiguity around the "RetrievalMethod" > > The spec says that > > "The result of dereferencing a |RetrievalMethod| |Reference <#sec-URI>| > for all |KeyInfo| types defined by this specification <#sec-KeyInfo> > (section 4.4) with a corresponding XML structure is an XML element or > document with that element as the root" > > My interpretation is that a RetrievalMethod can point to a KeyInfo type, > and one of the KeyInfo types is RetrievalMethod. So doesn't this imply > reference chaining? Because effectively a RetrievalMethod is pointing to > another RetrievalMethod , which can point to yet another one and so on. But RetrievalMethod is not one of the valid KeyInfo types that RetrievalMethod can refer to (see section 4.4): The following list summarizes the KeyInfo types that are allocated an identifier in the &dsig; namespace; these can be used within the RetrievalMethod Type attribute to describe a remote KeyInfo structure. * http://www.w3.org/2000/09/xmldsig#DSAKeyValue * http://www.w3.org/2000/09/xmldsig#RSAKeyValue * http://www.w3.org/2000/09/xmldsig#X509Data * http://www.w3.org/2000/09/xmldsig#PGPData * http://www.w3.org/2000/09/xmldsig#SPKIData * http://www.w3.org/2000/09/xmldsig#MgmtData --Sean > > > Pratik > > Sean Mullan wrote: >> >> >> Hirsch Frederick (Nokia-OCTO/Boston) wrote: >>> >>> All >>> >>> We have some items to complete before publishing the Best Practices >>> as a first working draft. >>> If we can complete these items before 7 October, then we can agree at >>> that meeting to the changes, incorporate them before the F2F and >>> agree to publish during the F2F (unless we are able to agree to >>> publish on 7 October). >>> >>> 1) Please review the current Best Practices draft so that we can >>> approve as working draft for publication. Please post any comments to >>> the list by next week. >>> >>> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/ >> >> A couple of comments on section 2.1.3 >> >> I don't understand how an implementation would process this >> RetrievalMethod recursively in an endless loop. I think a valid >> implementation should dereference the any RetrievalMethod once, pass >> the result through transforms and return the resulting XML Structure >> (or KeyInfo if it is one of the types in [1]). I think that in order >> for this attack to succeed, the reference processing model would need >> to support reference chaining, but AFAICT it doesn't allow that. >> >> Also, there is a duplicate best practice #5 in this section. (Section >> 2.1.2 contained best practice #5). >> >> --Sean >> >> [1] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-KeyInfo >> >
Received on Monday, 22 September 2008 20:54:25 UTC