- From: Joseph Ashwood <jashwood@arcot.com>
- Date: Fri, 5 Jan 2001 14:39:23 -0800
- To: <w3c-ietf-xmldsig@w3.org>
I've found a security risk in canonical XML that I believe needs to be
covered. Simply stated through example (with probably large portions of xml
left out):
...
<... namespace declaration...>
<agreement>I agree to pay the amount(s) shown in the namespace</agreement>
...
once signed, can be later altered simply by changing the namespace
declaration from reading "Purchase Barbie for 19.95" to "Purchase Ferrari
for 150,000". The effect being that instead of getting a charge of 19.95 on
the credit card, the charge becomes 150,000. We have seen these security
risks become reality with servers being continually hacked all across the
internet. I can think of no immediate solution outside of embedding the
namespace file in the canonical XML. I don't think this problem will go
away, it will just get worse.
Joe
Received on Friday, 5 January 2001 17:43:10 UTC