Re: Reminder: WG actions needed on Best Practices before publication from Frederick Hirsch on 2008-09-22 (public-xmlsec@w3.org from September 2008)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Mon, 22 Sep 2008 17:25:05 -0400
To: ext Sean Mullan <Sean.Mullan@Sun.COM>
Cc: XMLSec WG Public List <public-xmlsec@w3.org>
Message-Id: <FB836DAB-CAD5-4470-8E64-94CDD99DB4D6@nokia.com>

Could the concern about implementations be addressed generically in  
section 2.1, the introduction to denial of service, by changing the  
first paragraph:

"XML signature implementations are often used in application server  
systems, where multiple incoming messages are being processed  
simultaneously. In this situation incoming messages should be assumed  
to be possibly hostile, and it is not acceptable for a single poison  
message to bring down an entire set of web applications and services."

adding:

"This section outlines possible denial of service attacks and best  
practices to mitigate them, though advanced implementations make have  
not be susceptible to all of them."

regards, Frederick

Frederick Hirsch
Nokia



On Sep 22, 2008, at 3:05 PM, ext Sean Mullan wrote:

> Hirsch Frederick (Nokia-OCTO/Boston) wrote:
>> All
>> We have some items to complete before publishing the Best Practices  
>> as a first working draft.
>> If we can complete these items before 7 October, then we can agree  
>> at that meeting to the changes, incorporate them before the F2F and  
>> agree to publish during the F2F (unless we are able to agree to  
>> publish on 7 October).
>> 1) Please review the current Best Practices draft so that we can  
>> approve as working draft for publication. Please post any comments  
>> to the list by next week.
>> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
>
> A couple of comments on section section 2.1.2 (Best Practice 5).
>
> I think it would be a fairly immature XML Signature implementation  
> that would still duplicate every namespace node for each element in  
> the document. Yes, some early implementations did do that. I suggest  
> adjusting the wording in this section as to not imply that every  
> implementation does that.
>
> Also, the example uses relative namespace URIs which should be  
> rejected by C14N implementations [1]. So the example needs to be  
> changed to use absolute URIs. This comment applies to all of the  
> other examples as well.
>
> --Sean
>
> [1] http://www.w3.org/TR/xml-c14n11/#DataModel
>
> Note: This specification supports the recent XML plenary decision to  
> deprecate relative namespace URIs as follows: implementations of XML  
> canonicalization MUST report an operation failure on documents  
> containing relative namespace URIs. XML canonicalization MUST NOT be  
> implemented with an XML parser that converts relative URIs to  
> absolute URIs.

Received on Monday, 22 September 2008 21:25:47 UTC