- From: <Frederick.Hirsch@nokia.com>
- Date: Tue, 8 Mar 2011 15:02:13 +0000
- To: <cantor.2@osu.edu>
- CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>
should the first sentence read "signers" instead of "verifiers"? > While using the PositionAssertion feature allows more flexibility in > accomodating XPath-unaware verifiers regards, Frederick Frederick Hirsch Nokia On Mar 7, 2011, at 7:34 PM, ext Cantor, Scott E. wrote: > My recollection of this issue was that we wanted to urge applications to > favor XPath for selection over XPath for verification because the latter > is optional for the verifier, so would lead to wrapping attacks even if > the PositionAssertion feature were used. > > So I suggest adding the following text to section 10.7.2 of the Feb 7th WD > of Sig 2.0: > > "While using the PositionAssertion feature allows more flexibility in > accomodating XPath-unaware verifiers, applications SHOULD favor the use of > XPath-based selection via the dsig2:IncludedXPath element over the use of > this feature in most cases. Because verification of the PositionAssertion > is formally optional, verifiers may become subject to positional wrapping > attacks (Reference?) if they choose to ignore the assertion. This feature > is appropriately mainly in applications in which knowledge of the > verifier's support for the feature can be assured." > > -- Scott > >
Received on Tuesday, 8 March 2011 15:03:01 UTC