- From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
- Date: 29 Oct 2009 12:34:16 +0100
- To: public-xmlsec@w3.org
Hi, as I lately noticed that the WG deals with similar problems as we do within our latest research (i.e. streamable subset of XPath in the context of XML Signatures), I'd like to point your attention to some of our findings for consideration and discussion. Though Barton et al. ( http://cs.nyu.edu/~deepak/publications/icde.pdf ) have shown that in theory every XPath expression can be converted into an equivalent XPath that does not contain any backward axes (thus allowing stream-based evaluation in general), the topic of a streamable subset of XPath is of crucial importance. Apart from the pure performance gains by using a stream-based XML Signature validation (and maybe also application), one should also be aware of the other use that such a subset could have -- in terms of fending the XML Signature Wrapping attack. As we have shown lately ( http://www.nds.rub.de/media/nds/downloads/mjensen/ICWS09.pdf ), this particular attack threat can be tackled using position-aware referencing schemes in XML Signatures, which obviously can be done e.g. using XPath-based transformations. We thus defined a strong subset of XPath ourselves (called FastXPath), which to our consideration provides both: it performs way better than full XPath (see evaluation in the paper) and additionally was shown to be way more resistant to the XML Signature Wrapping threat. Thus, if you are interested in determining on how our work relates to the ongoing discussion on streamable XPath, please feel free to contact me. Best regards from Bochum, Germany Meiko -- Dipl.-Inf. Meiko Jensen Chair for Network and Data Security Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany _____________________________ Universitätsstr. 150, Geb. IC 4/150 D-44780 Bochum, Germany Phone: +49 (0) 234 / 32-26796 Telefax: +49 (0) 234 / 32-14347 http:// www.nds.rub.de
Received on Thursday, 29 October 2009 12:36:53 UTC