Re: XML Signature Best Practices for XPath selection proposal

I have updated the Best Practices document to add the new section on incorrect XPaths, with editorial revisions to the text, and change of title, also adding a best practice (which was in the text proposal but not highlighted).

Please review the change so we can approve during the call:

http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/#incorrect-xpath-syntax

Thanks

regards, Frederick

Frederick Hirsch
Nokia



On Jul 22, 2010, at 7:40 AM, ext Meiko Jensen wrote:

> Regarding my Action-586 I drafted a new paragraph for the best practices
> document, to be inserted in between existing paragraphs 2.2.2 and 2.2.3
> (since I consider it to be close to 2.2.2 in content):
> 
> =================================
> 2.2.3 Modified Approval Example: XPathFilter2 syntax causes nothing to
> be selected for signing
> 
> Example: Insecure Approval verification message
> 
> <Doc xmlns="http://any.ns"
> xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">
> <Approval xml:id="ap">...</Approval>
> <Signature>
> ...
> <Reference URI="">
> <Transforms>
> <Transform Algorithm="...xmldsig-filter2">
> <dsig-xpath:XPath Filter="intersect">//*[localname="Approval" and
> namespace-uri="http://any.ns"]</dsig-xpath:XPath>
> </Transform>
> </Transforms> ...
> </Reference>
> </Signature>
> </Doc>
> 
> In this case, the XPath filter looks like selecting the Approval element
> of namespace http://any.ns. However, in fact, it selects nothing at all.
> Note that the function is spelled "local-name", not "localname", and
> that both function calls omit their brackets (). The correct XPath
> expression would have been
> //*[local-name()="Approval" and namespace-uri()="http://any.ns"].
> The problem here consists in that the XPath evaluation will not raise an
> exception, nor give any other advice on that the XPath selected nothing
> or has a bad syntax. This is due to the fact that the XPath parser will
> interpret the misspelled function names as regular XPath tokens, hence
> leading to a completely different semantics that does not match the
> intended selection.
> As before, since nothing is selected, the digital signature does not
> provide any data integrity properties, but also raises no exception
> neither on signature application nor on verification. Hence, when
> applying XML Signatures using XPath it is recommended to always actively
> verify that the signature protects the intended elements, not more, not
> less.
> =================================
> 
> This should close ACTION-586.
> 
> best regards
> 
> Meiko
> 
> -- 
> Dipl.-Inf. Meiko Jensen
> Chair for Network and Data Security 
> Horst Görtz Institute for IT-Security 
> Ruhr University Bochum, Germany
> _____________________________
> Universitätsstr. 150, Geb. IC 4/150
> D-44780 Bochum, Germany
> Phone: +49 (0) 234 / 32-26796
> Telefax: +49 (0) 234 / 32-14347
> http:// www.nds.rub.de
> 
> 

Received on Friday, 23 July 2010 19:44:42 UTC