Re: Problem with canonical form? from Joseph M. Reagle Jr. on 2001-01-08 (w3c-ietf-xmldsig@w3.org from January to March 2001)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Mon, 08 Jan 2001 15:45:42 -0500
To: "Joseph Ashwood" <jashwood@arcot.com>
Cc: <w3c-ietf-xmldsig@w3.org>
Message-Id: <4.3.2.7.2.20010108153833.02bfda00@rpcp.mit.edu>

Joseph,

I'm actually not sure I understand your example without the portions of XML, 
but it sounds like an issue discussed before. The following text was agreed 
to in the specification to address it:
http://www.w3.org/TR/2000/CR-xmldsig-core-20001031/#sec-See
>For instance, if an XML document includes an embedded style sheet [XSLT] it 
>is the transformed document that that should be represented to the user and 
>signed. To meet this recommendation where a document references an external 
>style sheet, the content of that external resource should also be signed as 
>via a signature Reference -- otherwise the content of that external content 
>might change which alters the resulting document without invalidating the 
>signature.

As Phill points out, Canonical XML provides a serialization of a XML node 
set, that's it. If you have concerns about other references, that is an 
application issue as Donald points out. (Consider a weird screw case where 
some applications might *wish* to make a statement about a URI with dynamic 
content.) Otherwise, if you want these things to be signed, then sign them 
in the Signature or package them together in some such archive.

At 14:39 1/5/2001 -0800, Joseph Ashwood wrote:
>I've found a security risk in canonical XML that I believe needs to be
>covered. Simply stated through example (with probably large portions of xml
>left out):
>
>...
><... namespace declaration...>
><agreement>I agree to pay the amount(s) shown in the namespace</agreement>
>...
>
>once signed, can be later altered simply by changing the namespace
>declaration from reading "Purchase Barbie for 19.95" to "Purchase Ferrari
>for 150,000". The effect being that instead of getting a charge of 19.95 on
>the credit card, the charge becomes 150,000. We have seen these security
>risks become reality with servers being continually hacked all across the
>internet. I can think of no immediate solution outside of embedding the
>namespace file in the canonical XML. I don't think this problem will go
>away, it will just get worse.
>                             Joe


__
Joseph Reagle Jr.
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Monday, 8 January 2001 15:45:48 UTC