- From: Scott Cantor <cantor.2@osu.edu>
- Date: Mon, 11 Oct 2010 09:57:18 -0400
- To: "'Pratik Datta'" <pratik.datta@oracle.com>, <public-xmlsec@w3.org>
> As Scott mentioned, even with XPath 1.0, it is possible to make it work with > ID attributes beyond DTD by using the DOM 3 functions to mark ID attributes. And schemas. It seems pretty weird to me that the W3C would produce yet more specs that ignore IDness from XML Schema unless that's a deliberate architectural choice to once and for all say that schema IDs are not the same as DTD IDs (which has been an ongoing argument for years). (That's more of a comment about XPath 2 than us, since I think XPath 2 came after XSD, right?) > My opinion is that we should not use the dsig2:IDAttributes function to > defined ID attributes for XPath profile. Because > a) First of all we don't even need id() functions in XPath for dsig. We > already have the URI mechanism in dsig which is widely used, we have already > agreed to allow URI references to uses ids defined by the > dsig2:IDattributes. However we are telling users to avoid using IDs because > of the possibility of wrapping attacks, instead they should use XPaths. > Obviously they should not use the id() function in attributes, because it > comes back to the whole issue of wrapping attacks. Well, let me just say that there *are* ways around those attacks if you have application specific knowledge in your verifier. Not every implementation is trying to be an appliance that can process signatures with no regard for what's being signed. > b) Secondly , one of the major DOM parsers used inside Oracle is not fully > DOM3 compliant, and it does not support the setIDattribute function. There > may be other DOM parsers in the similar situation too. So this may not be > easy to implement for all parsers. That doesn't create false positives though, only false negatives. That isn't a security risk, and those of us who use IDs extensively have many reasons to avoid such parsers anyway. > I say that we leave the id() function exactly as it is in XPath 1.0, i.e > defined by DTD only. I would argue for consistency across all uses of IDness in the spec, or alternatively that id() just be pulled from the XPath subset if you don't want to use it. -- Scott
Received on Monday, 11 October 2010 13:57:45 UTC