Re: Problem with canonical form?


I'm actually not sure I understand your example without the portions of XML, 
but it sounds like an issue discussed before. The following text was agreed 
to in the specification to address it:
>For instance, if an XML document includes an embedded style sheet [XSLT] it 
>is the transformed document that that should be represented to the user and 
>signed. To meet this recommendation where a document references an external 
>style sheet, the content of that external resource should also be signed as 
>via a signature Reference -- otherwise the content of that external content 
>might change which alters the resulting document without invalidating the 

As Phill points out, Canonical XML provides a serialization of a XML node 
set, that's it. If you have concerns about other references, that is an 
application issue as Donald points out. (Consider a weird screw case where 
some applications might *wish* to make a statement about a URI with dynamic 
content.) Otherwise, if you want these things to be signed, then sign them 
in the Signature or package them together in some such archive.

At 14:39 1/5/2001 -0800, Joseph Ashwood wrote:
>I've found a security risk in canonical XML that I believe needs to be
>covered. Simply stated through example (with probably large portions of xml
>left out):
><... namespace declaration...>
><agreement>I agree to pay the amount(s) shown in the namespace</agreement>
>once signed, can be later altered simply by changing the namespace
>declaration from reading "Purchase Barbie for 19.95" to "Purchase Ferrari
>for 150,000". The effect being that instead of getting a charge of 19.95 on
>the credit card, the charge becomes 150,000. We have seen these security
>risks become reality with servers being continually hacked all across the
>internet. I can think of no immediate solution outside of embedding the
>namespace file in the canonical XML. I don't think this problem will go
>away, it will just get worse.
>                             Joe

Joseph Reagle Jr.
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair

Received on Monday, 8 January 2001 15:45:48 UTC