- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Mon, 22 Sep 2008 17:25:05 -0400
- To: ext Sean Mullan <Sean.Mullan@Sun.COM>
- Cc: XMLSec WG Public List <public-xmlsec@w3.org>
Could the concern about implementations be addressed generically in section 2.1, the introduction to denial of service, by changing the first paragraph: "XML signature implementations are often used in application server systems, where multiple incoming messages are being processed simultaneously. In this situation incoming messages should be assumed to be possibly hostile, and it is not acceptable for a single poison message to bring down an entire set of web applications and services." adding: "This section outlines possible denial of service attacks and best practices to mitigate them, though advanced implementations make have not be susceptible to all of them." regards, Frederick Frederick Hirsch Nokia On Sep 22, 2008, at 3:05 PM, ext Sean Mullan wrote: > Hirsch Frederick (Nokia-OCTO/Boston) wrote: >> All >> We have some items to complete before publishing the Best Practices >> as a first working draft. >> If we can complete these items before 7 October, then we can agree >> at that meeting to the changes, incorporate them before the F2F and >> agree to publish during the F2F (unless we are able to agree to >> publish on 7 October). >> 1) Please review the current Best Practices draft so that we can >> approve as working draft for publication. Please post any comments >> to the list by next week. >> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/ > > A couple of comments on section section 2.1.2 (Best Practice 5). > > I think it would be a fairly immature XML Signature implementation > that would still duplicate every namespace node for each element in > the document. Yes, some early implementations did do that. I suggest > adjusting the wording in this section as to not imply that every > implementation does that. > > Also, the example uses relative namespace URIs which should be > rejected by C14N implementations [1]. So the example needs to be > changed to use absolute URIs. This comment applies to all of the > other examples as well. > > --Sean > > [1] http://www.w3.org/TR/xml-c14n11/#DataModel > > Note: This specification supports the recent XML plenary decision to > deprecate relative namespace URIs as follows: implementations of XML > canonicalization MUST report an operation failure on documents > containing relative namespace URIs. XML canonicalization MUST NOT be > implemented with an XML parser that converts relative URIs to > absolute URIs.
Received on Monday, 22 September 2008 21:25:47 UTC