- From: Cantor, Scott E. <cantor.2@osu.edu>
- Date: Tue, 8 Mar 2011 00:34:25 +0000
- To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
My recollection of this issue was that we wanted to urge applications to favor XPath for selection over XPath for verification because the latter is optional for the verifier, so would lead to wrapping attacks even if the PositionAssertion feature were used. So I suggest adding the following text to section 10.7.2 of the Feb 7th WD of Sig 2.0: "While using the PositionAssertion feature allows more flexibility in accomodating XPath-unaware verifiers, applications SHOULD favor the use of XPath-based selection via the dsig2:IncludedXPath element over the use of this feature in most cases. Because verification of the PositionAssertion is formally optional, verifiers may become subject to positional wrapping attacks (Reference?) if they choose to ignore the assertion. This feature is appropriately mainly in applications in which knowledge of the verifier's support for the feature can be assured." -- Scott
Received on Tuesday, 8 March 2011 00:34:55 UTC