- From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
- Date: Thu, 09 Aug 2007 10:39:02 +0200
- To: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
- CC: "Marcus.Ertel@Extern.Sparkassen-Informatik.de" <Marcus.Ertel@Extern.Sparkassen-Informatik.de>, "public-xmlsec-maintwg@w3.org" <public-xmlsec-maintwg@w3.org>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org>, "Konrad.Lanz@iaik.tugraz.ac.at" <Konrad.Lanz@iaik.tugraz.ac.at>, "m.ertel@gmx.com" <m.ertel@gmx.com>, "Heiko.Dittmann@Sparkassen-Informatik.de" <Heiko.Dittmann@Sparkassen-Informatik.de>
- Message-ID: <46BAD2A6.8090403@iaik.tugraz.at>
Dear Christian Geuer-Pollmann, I partially agree what you suggest may be a viable proposal for a second version of XMLDSig, but I disagree that the current normative parts unambiguously specify what should be done with '#', '%', '[', ']' in the URI Attribute of a reference. Hence the only solid choice is to escape these characters if they do not initiate the fragment of a URI or an escape sequence or delimit an IPv6 host respectively. Christian Geuer-Pollmann wrote: > [...] your first example > > <Reference URI="#xpointer(//*[@authenticate='true'])"> > > is correct. Well I'd say both are correct, if the assumption for the first example holds that '[', ']' are moved to the reserved characters for non IPv6 URIs as well. This assumption in - at least from my point of view - possible, but not very solid, because albeit RFC 2732 extended RFC 2396 for IPv6 only and it did not obsolete it. http://tools.ietf.org/html/rfc2732 : > It defines a syntax > for IPv6 addresses and allows the use of "[" and "]" within a URI > explicitly for this reserved purpose. However in the spirit of RFC 3986 it is valid to make the previous assumption, which however is not yet normative for XMLDSig. RFC 3986 can become normative as soon as it is believed that it will not cause a conformance affecting change to XMLDSig. Currently normative for this issue are the following bits: ### [1] http://www.w3.org/TR/xmldsig-core/#sec-URI [2] http://tools.ietf.org/html/rfc2396 For IPv6 [3] http://tools.ietf.org/html/rfc2732 and via the schema data type anyURI, but not via the DTD [4] http://www.w3.org/TR/xmlschema-2/#anyURI [5] http://www.w3.org/TR/2001/WD-charmod-20010126/#sec-URIs ### [1] standardizes that '[' ']' are permitted for IPv6 in conformance with [3]. However the question can be asked whether it is possible for a fragment only URI reference to be affected by [3] at all as it is a same document reference and not in touch with IPv6 at all. [1] suggests that the number sign (#) and percent sign (%) are permitted everywhere under all circumstances which however would contradict [2]. And hence is questionable. [1] norms (#) and percent sign (%) are permitted everywhere under all circumstances which however would contradict [2]. Conclusion: Always escape '#', '%', '[', ']' if not used for their most fundamental application (i.e. fragment, escaping, IPv6). The second example and also the following example however is in any way correct as it strictly complies to RFC 2396 and is not affected by any of the rules in [1] - [5] to twist the URI: <Reference URI="#xpointer(//*%5B@authenticate='true'%5D)"> > The other thing *would* be the escape sequence which you > need when sensing the URI as part of a GET request to some web > server, i.e. when the URI would be consumed and cracked by an HTTP > server. That is not the case at XML Signature: the @URI attribute > here is processed by an XML Signature library, which does not expect > that escaping. Well it actually must be able to treat the escaped version as well as it's neither prohibited by any of [1] - [5] . > Doing RFC2396 escaping in a ds:Reference/@URI is wrong > (and just feeding that into a concrete implementation should actually > give you that answer with some nice exception :)). Well then that implementation should be changed accordingly, as escaping is nowhere prohibited. regards Konrad P.S.: Personally I believe what the text in [1] tried to achieve was what is specified [5], but it confused things a bit. [5] does not allow number sign (#) and percent sign (%) characters in their unescaped form, but for initiating the fragment or an escape sequence. The same holds true for square brackets as long as the references are not updated to RFC 3986. To cut a long story short '#', '%', '[', ']' are not "disallowed characters" in the sense of [5] however they are to be escaped according to [2] and [3] if not used as initiating character for the fragment of a URI or an escape sequence or to delimit an IPv6 host respectively. Forwarded to http://lists.w3.org/Archives/Public/public-xmlsec-comments/ public-xmlsec-comments@w3.org you may want to subscribe to this list. Marcus Ertel wrote: > Ladies and Gentlemen: > > Let me start with a brief introduction of the issue that makes me ask > for a clarification from your side. My name is Marcus Ertel and I am > with "Sparkassen Informatik", one of the biggest IT service providers > in Germany. We are currently busy introducing the new money transfer > standard EBICS (Electronic Banking Internet Communication Standard; > please see > <http://www.ebics-zka.de/english/spec/specification_en.htm>) which > relies heavily on XML and particularly XML Signature. > > The various implementations of EBICS raised a discussion concerning > the handling of the Reference URI in the SignedInfo element of an XML > signature. The issue is, quite briefly, as follows: > > The XML data of an EBICS message contain a <SignedInfo> element with > a <Reference URI> that contains an XPointer: > > <Reference URI="#xpointer(//*[@authenticate='true'])"> > > Now there's an ongoing discussion about the handling of this URI > before the calculation of the XML Signature. One opinion is as > follows: In order to obtain a valid, RFC 2396 compliant URI, parts of > the Reference URI have to be escaped properly. Hence, the URI fed > into the signature process is as follows: > > <Reference > URI="#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)"> > > On the other hand, there is quite the opposite opinion. Its > proponents say that no escaping at all is necessary, because the URI > consists of just an XPointer. And as all the candidates for escaping > are parts of this XPointer, they do not infringe the requirements of > RFC 2396. > > Could you please kindly advise on how to process this special URI? We > need this clarification because there are ISV's providing the German > banking software market with these two implementations of the XML > Signature standard. This in turn leads to products unable to cope > with each other while all of them claim to be compliant with the XML > Signature standard. > [...] -- Konrad Lanz, IAIK/SIC - Graz University of Technology Inffeldgasse 16a, 8010 Graz, Austria Tel: +43 316 873 5547 Fax: +43 316 873 5520 https://www.iaik.tugraz.at/aboutus/people/lanz http://jce.iaik.tugraz.at Certificate chain (including the EuroPKI root certificate): https://europki.iaik.at/ca/europki-at/cert_download.htm
Received on Thursday, 9 August 2007 08:39:43 UTC