Explain errata of XML Signature 2nd Edition and how these are addressed in XML Signature version 1.1

This note addresses how items from Errata for XML Signature 2nd edition from

http://www.w3.org/2008/06/xmldsigcore-errata.html

are covered in XML Signature Syntax and Processing Version 1.1 from

http://www.w3.org/TR/2009/WD-xmldsig-core1-20090730/

The errata covers known errors in:

http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/

About this document

This document examines how each erratum is corrected. The errata numbers are preserved from the original errata list:

E01: Error in example in section 2.1

The Simple Example should include a leading < character on the closing DigestValue tag in line [s10]:

[s10]     <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>

Corrected:

The new version incorporates this change

E02: Obsolete and incorrect material in section 9

Section 9.0, Schema, DTD, Data Model, and Valid Examples should only contain the XML Signature Schema Instance and XML Signature DTD material. The RDF Data Model is out of date, so that material should be removed from the section. The examples should also be removed from the section since they are misleading (e.g. including a "null transform"). The recommendation contains suitable examples in other sections. The title of the section should be changed to "Schema and DTD" in the heading and table of contents.

Corrected:

The new version has references only to XML Signature Schema Instance and XML Signature 1.1 Schema Instance

The following text is added to section 4.3.2 The SignatureMethod Element:

The ds:HMACOutputLength parameter is used for HMAC algorithms (including the HMAC-SHA1 algorithm defined in this spec, and HMAC algorithms based on other hash algorithms). The parameter specifies a truncation length in bits. If this parameter is trusted without further verification, then this can lead to a security bypass [CVE-2009-0217]. Signatures MUST be deemed invalid if the truncation length is below half the underlying hash algorithm's output length, or 80 bits, whichever of these two values is greater. Note that some implementations are known to not accept truncation lengths that are lower than the underlying hash algorithm's output length.

The first paragraph of section 6.3.1 HMAC is changed as follows:

The HMAC-SHA1 algorithm (RFC2104 [HMAC]) takes the truncation length in bits as a parameter; if the parameter is not specified, then all the bits of the hash are output. For the HMAC-SHA1 algorithm, any signature with a truncation length of less than 80 bits MUST be deemed invalid. An example of an HMAC-SHA1 SignatureMethod element: ...

This erratum addresses a vulnerability in a number of implementations of XML Signature. See CVE-2009-0217 and CERT Vulnerability Note 466161 for details.

Corrected:

The new version has incorporated the wording in section 4.3.2. The new version has the following in section 6.3.1:

Any signature with a truncation length that is less than half the output
length of the underlying hash algorithm MUST be deemed invalid.