Re: Action-539: review C14N2.0

Hi Scott, see inline

Scott Cantor schrieb:
>> Section 6: Qnames in content. Searching all text nodes for potential use
>> of prefixes is a horribly bad idea. Besides the performance overhead
>> you'll get weird matches, resulting in different namespace declarations
>> being covered within structurally identical XML documents. Major source
>> of confusion and unexplainable signature invalidations.
>>     
>
> I don't propose searching all text nodes, but I do believe enumerating the
> qualified names of nodes that are QName-valued to be useful and frankly
> necessary.
>   
OK, this makes way more sense to me. However, I wonder what this
approach can achieve more than the inclusiveNamespacePrefixList that is
already defined. If one uses a Qname in a text node, one can either mark
that node as "Qname-relevant content", hence have it parsed for prefixes
and embed them, or one can put the prefixes used in the Qnames on the
inclusiveNamespaces list, hence having them embedded despite any
"visibly utilized". I'm not sure which approach is better or if one
includes the other already.
> On a separate but similar topic, I also think in the absence of schema-aware
> c14n that we have an obligation to allow the specification of ID-valued
> attributes to ensure better and safer interop of ID-based references. It
> doesn't by itself address wrapping attacks but it's an improvement on
> guessing ID-ness.
>   
I'm not sure I understood your point. I have no objections with that we
have to support schema-unaware (or DTD-unaware) applications of XML
Signature, however, does this imply that we are not allowed to propose
solutions that do well with schema but are not applicable / not relevant
without, as long as we propose general "fallback" solutions for the
schema-inaware cases as well?
> (To anticipate a response, yes, in an ideal world we'd just use schemas and
> both issues would be addressed. But in this world, people often don't use
> them at runtime, nor do they use DTDs.)
>   
I plead myself guilty of having done this several times as well.
Please don't get me wrong, I don't say abandon the old, but I see some
potential for optimization (and for vulnerabilities as well) especially
regarding the broad use cases of Web Services. Maybe I'm biased in this.

best regards

Meiko

Received on Monday, 19 April 2010 18:11:56 UTC