Re: Processing Instructions for supporting Streaming mode? from Frederick Hirsch on 2010-04-19 (public-xmlsec@w3.org from April 2010)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Mon, 19 Apr 2010 11:20:19 -0400
To: ext Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, XMLSec WG Public List <public-xmlsec@w3.org>
Message-Id: <7C5C9807-E74A-4477-B5A4-A6FA6FCD7566@nokia.com>

Meiko

Thanks for thinking about possible solutions.

In fact one of the initial proposals included PIs, see [1]

ISSUE-31 has pointers to related discussion [2] and was closed after  
the WG agreed not to pursue using PIs [3] once it was decided to  
produce a non-breaking 1.1 as well as  a 2.0 release [4].

I don't think we ever passed  a formal resolution, which we should  
probably do.

If you have new ideas, rationale or proposals please don't hesitate to  
raise them on the list.

regards, Frederick

Frederick Hirsch
Nokia

[1] http://lists.w3.org/Archives/Public/public-xmlsec/2008Aug/0007.html

[2] http://www.w3.org/2008/xmlsec/track/issues/31

[3] http://lists.w3.org/Archives/Public/public-xmlsec/2009Mar/0016.html

[4] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-PI 
  and http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-PI

On Apr 19, 2010, at 7:25 AM, ext Meiko Jensen wrote:

> Hi all,
>
> regarding the support for streaming mode verification of XML  
> Signatures
> I'd like to throw in the following idea: Is is useful to define  
> optional
> XML processing instructions that indicate the parsing engine with all
> information necessary to process the referenced parts of a document?
> Strawman example:
>
> <A>
>  <?xml-signature c14n="..." digestMethod="..." ?>
>  <SignedFragment>
>    Some signed contents
>  </SignedFragment>
> </A>
>
> This way, the parsing engine is not required to first inspect the
> <ds:Signature> subtree for determining the selection paths (e.g. if  
> that
> information occurs late in the document, as e.g. in SAML Assertions).
> Hence, this might allow one-pass signature verification instead of
> two-pass/DOM in many scenarios. It's easier to collect all data, then
> draw the links instead of starting with the <Reference> and follow a
> backward link.
>
> Obviously, the information given in the PI must be validated for
> equality to those given in the <ds:Signature> part later on, to  
> prevent
> version-rollback attacks. However, I don't see a reason to have the PI
> covered by any signature itself.
>
> What do you think?
>
> best regards
>
> Meiko
>
> -- 
> Dipl.-Inf. Meiko Jensen
> Chair for Network and Data Security
> Horst Görtz Institute for IT-Security
> Ruhr University Bochum, Germany
> _____________________________
> Universitätsstr. 150, Geb. IC 4/150
> D-44780 Bochum, Germany
> Phone: +49 (0) 234 / 32-26796
> Telefax: +49 (0) 234 / 32-14347
> http:// www.nds.rub.de
>
>

Received on Monday, 19 April 2010 15:21:03 UTC