There is some ambiguity around the "RetrievalMethod"
The spec says that
"The result of dereferencing a RetrievalMethod Reference for all KeyInfo types defined by
this specification (section 4.4) with a corresponding XML structure
is an XML element or document with that element as the root"
My interpretation is that a RetrievalMethod can point to a KeyInfo
type, and one of the KeyInfo types is RetrievalMethod. So doesn't this
imply reference chaining? Because effectively a RetrievalMethod is
pointing to another RetrievalMethod , which can point to yet another
one and so on.
Pratik
Sean Mullan wrote:
Hirsch Frederick (Nokia-OCTO/Boston) wrote:
All
We have some items to complete before publishing the Best Practices as
a first working draft.
If we can complete these items before 7 October, then we can agree at
that meeting to the changes, incorporate them before the F2F and agree
to publish during the F2F (unless we are able to agree to publish on 7
October).
1) Please review the current Best Practices draft so that we can
approve as working draft for publication. Please post any comments to
the list by next week.
http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
A couple of comments on section 2.1.3
I don't understand how an implementation would process this
RetrievalMethod recursively in an endless loop. I think a valid
implementation should dereference the any RetrievalMethod once, pass
the result through transforms and return the resulting XML Structure
(or KeyInfo if it is one of the types in [1]). I think that in order
for this attack to succeed, the reference processing model would need
to support reference chaining, but AFAICT it doesn't allow that.
Also, there is a duplicate best practice #5 in this section. (Section
2.1.2 contained best practice #5).
--Sean
[1] http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-KeyInfo