- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 11 May 2010 17:07:45 +0200
- To: XMLSec WG Public List <public-xmlsec@w3.org>
- Cc: Thomas Roessler <tlr@w3.org>
Here's a text suggestion around external unparsed entities: > Resolving external unparsed entity references can imply network access and can in certain circumstances be a security concern for signature verifiers. As a policy decision, signature verifiers may choose not to resolve such entities, leading to a loss of interoperability. > > Best practice for signers: > > Do not transmit unparsed external entity references in signed material. Expand all entity references before creating the cleartext that is transmitted. Here's a suggestion around schema, replacing 2.7 and 2.8: > Part of the validation process defined by XML Schema includes the "normalization" of lexical values in a document into a "schema normalized value" that allows schema type validation to occur against a predictable form. > > Some implementations of validating parsers, particular early ones, often modified DOM information "in place" when performing this process. Unless the signer also performed a similar validation process on the input document, verification is likely to fail. Newer validating parsers generally include an option to disable type normalization, or take steps to avoid modifying the DOM, usually by storing normalized values internally alongside the original data. > > Verifiers should be aware of the effects of their chosen parser and adjust the order of operations or parser options accordingly. Signers might also choose to operate on the normalized form of an XML instance when possible. > > Additionally, validating processors will add default values taken from an XML schema to the DOM of an XML instance. > > > Best practice for signers: > > Do not rely on a validating processor on the consumer's end to normalize XML document. Instead, explicitly include default attribute values, and use normalized attributes when possible. > > Best practice for verifiers: > > Applications relying on validation should either consider verifying signatures before schema validation, or select implementations that can avoid destructive DOM changes while validating. > (That concludes my action; comments more than welcome.) -- Thomas Roessler, W3C <tlr@w3.org> (@roessler)
Received on Tuesday, 11 May 2010 15:07:48 UTC