Re: [ACTION-412][Fwd: Re: namespace wrapping attacks against XML Signature?]

All:

Perhaps we should consider more carefully the prefix-free- 
canonicalization method described in the paper, for XML  
Canonicalization Version 2.0?

This could greatly simplify both Canonical XML 2.0 for the default  
(new) variant?

Given the simplicity perhaps the performance might not be a major  
issue, but we would have to look at this.

regards, Frederick

Frederick Hirsch, Nokia
Chair XML Security WG



On Dec 1, 2009, at 4:08 PM, ext Ed Simon wrote:

> The attached paper (attached with permission of its authors) describes
> in detail the attack vector described in my 2009 April [1] post and
> subsequent discussions (looks like we independently became concerned
> about the same issue). Please review it so that we discuss whether  
> there
> is general agreement that we need to address it.
>
> Thanks,
> Ed
>
> [1] http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/ 
> 0025.html
>
> -------- Forwarded Message --------
> From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
> To: edsimon@xmlsec.com, Meiko Jensen <Meiko.Jensen@rub.de>, Jörg  
> Schwenk
> <joerg.schwenk@rub.de>, 'Thomas Roessler' <tlr@w3.org>, 'Frederick
> Hirsch' <Frederick.Hirsch@nokia.com>
> Subject: Re: namespace wrapping attacks against XML Signature?
> Date: Tue, 24 Nov 2009 10:51:42 +0100 (CET)
>
> Hi Ed, see below...
>
> Ed Simon schrieb am 2009-11-23:
>> Thanks Meiko,
>
> ...
>
>> Is the W3C allowed to post your paper to the W3C public archive list?
>
> Feel free to do so :)
>
> best regards from Bochum, Germany
>
> Meiko
>
>> Regards,
>> Ed
>
>
>
>
>
>
>
>
>
> -- 
> ========================================
> Ed Simon
> 613-726-9645
> edsimon@xmlsec.com
> <sws5-jensen.pdf>

Received on Tuesday, 29 December 2009 22:44:01 UTC