- From: Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com>
- Date: Thu, 9 Aug 2007 16:56:33 +0100
- To: "Marcus.Ertel@Extern.Sparkassen-Informatik.de" <Marcus.Ertel@Extern.Sparkassen-Informatik.de>
- CC: "Heiko.Dittmann@Sparkassen-Informatik.de" <Heiko.Dittmann@Sparkassen-Informatik.de>, "Konrad.Lanz@iaik.tugraz.at" <Konrad.Lanz@iaik.tugraz.at>, Marcus Ertel <m.ertel@gmx.com>, "public-xmlsec-maintwg@w3.org" <public-xmlsec-maintwg@w3.org>, Tom Gindin <tgindin@us.ibm.com>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org>
- Message-ID: <6CF75D3DC659834C980077A2E31582BE09B9D36127@EA-EXMSG-C310.europe.corp.microsoft.>
Well, to give an example: When I wrote my XML Signature implementation (which is now Apache XML Security), I only supported exactly the / and id(‘foo’) xpointers, and I would guess that others did the same: http://cvs.apache.org/viewvc/xml/security/trunk/src/org/apache/xml/security/utils/resolver/implementations/ResolverXPointer.java?view=markup Best regards, Christian Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066 http://www.microsoft.com/emic/ From: Marcus.Ertel@Extern.Sparkassen-Informatik.de [mailto:Marcus.Ertel@Extern.Sparkassen-Informatik.de] Sent: Donnerstag, 9. August 2007 15:53 To: Christian Geuer-Pollmann Cc: Heiko.Dittmann@Sparkassen-Informatik.de; Konrad.Lanz@iaik.tugraz.at; Marcus Ertel; public-xmlsec-maintwg@w3.org; Tom Gindin; w3c-ietf-xmldsig@w3.org Subject: Antwort: RE: Antwort: RE: AW: XML Signature - Request for clarification [Virus checked] Thanks Christian, using this xpointer construction was not my personal idea, but a requirement of the German money transfer standard EBICS, please see <http://www.ebics-zka.de/english/spec/specification_en.htm>. In the scope of our compatibility tests we have to ensure that all EBICS clients and servers are EBICS-compliant. And as EBICS refers to the XML-DSig-Standard, the software we test must comply to XML-DSig. But different toolkits used in various products handle(d) the Reference URI differently. As products based on a contrary interpretations of the same standard would be a disaster, we need a clarification and no longer room for interpretation. I'm sure that when the processing details of XML Signature are completely defined, all the toolkits will handle the Reference URI in the same way and there's no longer the situation where both opponents are right. That's the point for me. Best regards, Marcus Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com> 09.08.2007 15:25 An "Marcus.Ertel@Extern.Sparkassen-Informatik.de" <Marcus.Ertel@Extern.Sparkassen-Informatik.de> Kopie "Heiko.Dittmann@Sparkassen-Informatik.de" <Heiko.Dittmann@Sparkassen-Informatik.de>, "Konrad.Lanz@iaik.tugraz.ac.at" <Konrad.Lanz@iaik.tugraz.ac.at>, Marcus Ertel <m.ertel@gmx.com>, "public-xmlsec-maintwg@w3.org" <public-xmlsec-maintwg@w3.org>, Tom Gindin <tgindin@us.ibm.com>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org> Thema RE: Antwort: RE: AW: XML Signature - Request for clarification [Virus checked] One of the questions you should ask yourself is why you don’t do the actual node selection in the ds:Transforms anyway? I would expect that with the approach you’re following here, you’re calling for trouble. If you want to select multiple subtrees in the document, I would select the whole document’s xpath node set in the URI=”” and do the filtering in the Transforms anyway. Using a URI like #xpointer(//*[@authenticate='true'])may not be supported by many XML Signature toolkits, as that’s not a requirement for a toolkit to call itself “XML Signature 1.0 compliant”. So when you want to work with different toolkits, that’s a recipe for trouble. When you only intend to use a single toolkit, you should actually just do what that particular toolkit understands. Best regards, Christian Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066 http://www.microsoft.com/emic/ From: Marcus.Ertel@Extern.Sparkassen-Informatik.de [mailto:Marcus.Ertel@Extern.Sparkassen-Informatik.de] Sent: Donnerstag, 9. August 2007 14:56 To: Christian Geuer-Pollmann Cc: Heiko.Dittmann@Sparkassen-Informatik.de; Konrad.Lanz@iaik.tugraz.ac.at; Marcus Ertel; public-xmlsec-maintwg@w3.org; Tom Gindin; w3c-ietf-xmldsig@w3.org Subject: Antwort: RE: AW: XML Signature - Request for clarification [Virus checked] Hi all, I'm not yet convinced that Christian's point of view is completely correct: While the signature lib has full access to the Reference URI, this doesn't necessarily mean that everything passed as an URI is correct in terms of the RFCs that describe what a Reference URI is supposed to look like. Briefly: The direct access to the data doesn't make them "legal", it only eases processing for less strict libraries. Regards, Marcus Christian Geuer-Pollmann <Christian.Geuer-Pollmann@microsoft.com> 09.08.2007 14:31 An Tom Gindin <tgindin@us.ibm.com>, Marcus Ertel <m.ertel@gmx.com> Kopie "Heiko.Dittmann@Sparkassen-Informatik.de" <Heiko.Dittmann@Sparkassen-Informatik.de>, "Konrad.Lanz@iaik.tugraz.ac.at" <Konrad.Lanz@iaik.tugraz.ac.at>, "Marcus.Ertel@Extern.Sparkassen-Informatik.de" <Marcus.Ertel@Extern.Sparkassen-Informatik.de>, "public-xmlsec-maintwg@w3.org" <public-xmlsec-maintwg@w3.org>, "w3c-ietf-xmldsig@w3.org" <w3c-ietf-xmldsig@w3.org> Thema RE: AW: XML Signature - Request for clarification [Virus checked] As I said: The attribute's text value is not sent to an HTTP server as GET URL where everything needs to be escaped properly, but processed by an XML Signature library which has full and direct access to the xmlAttribute.Value property, so I don't see a need to escape anything here. Best regards, Christian Europäisches Microsoft Innovations Center GmbH, Ritterstrasse 23, D-52072 Aachen, Germany Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; Amtsgericht Aachen, HRB 12066 http://www.microsoft.com/emic/ -----Original Message----- From: Tom Gindin [mailto:tgindin@us.ibm.com] Sent: Donnerstag, 9. August 2007 14:27 To: Marcus Ertel; Christian Geuer-Pollmann Cc: Heiko.Dittmann@Sparkassen-Informatik.de; Konrad.Lanz@iaik.tugraz.ac.at; Marcus.Ertel@Extern.Sparkassen-Informatik.de; public-xmlsec-maintwg@w3.org; w3c-ietf-xmldsig@w3.org Subject: Re: AW: XML Signature - Request for clarification [Virus checked] Christian: How does a complete absence of escape processing for the Reference attribute square with XMLDSIG section 4.3.3.1? That section says (point 2) that "some Unicode characters are disallowed from URI references including all non-ASCII characters and the excluded characters listed in RFC2396 [URI, section 2.4]. However, the number sign (#), percent sign (%), and square bracket characters re-allowed in RFC 2732 [URI-Literal] are permitted." None of the characters in Marcus' example need to be escaped, and the test vectors explicitly show solidus and apostrophe as not being escaped. But don't angle brackets and double quotation marks need to be escaped? Tom Gindin "Marcus Ertel" <m.ertel@gmx.com> Sent by: w3c-ietf-xmldsig-request@w3.org 08/08/2007 04:32 PM To "'Christian Geuer-Pollmann'" <Christian.Geuer-Pollmann@microsoft.com>, <Marcus.Ertel@Extern.Sparkassen-Informatik.de>, <public-xmlsec-maintwg@w3.org> cc <w3c-ietf-xmldsig@w3.org>, <Konrad.Lanz@iaik.tugraz.ac.at>, <Heiko.Dittmann@Sparkassen-Informatik.de> Subject AW: XML Signature - Request for clarification [Virus checked] Christian, thanks for your quick response! Well, this looks like quite a straightforward solution to a tedious problem. I remember that I came across a hint into the direction that you describe when my research led me into the Javadocs of the URLEncoder class that produces the (in our case) wrong output (an ISV's library required the Referene URI be RFC 2396 compliant). - But I just couldn't (and almost still can't) imagine a solution this easy, because there were long and very qualified discussions with ISVs, suppliers of JCE's and even the German section of the W3C regarding the handling of the Reference URI. Anyway, I'm glad that this issue looks solved now. And maybe there'll be more contributions to this discussion by the other addressees of your mail...? Thanks again and best regards! Marcus > -----Ursprüngliche Nachricht----- > Von: Christian Geuer-Pollmann > [mailto:Christian.Geuer-Pollmann@microsoft.com] > Gesendet: Mittwoch, 8. August 2007 21:09 > An: Marcus.Ertel@Extern.Sparkassen-Informatik.de; > public-xmlsec-maintwg@w3.org > Cc: w3c-ietf-xmldsig@w3.org; Konrad.Lanz@iaik.tugraz.ac.at; > m.ertel@gmx.com; Heiko.Dittmann@Sparkassen-Informatik.de > Betreff: RE: XML Signature - Request for clarification [Virus checked] > > Marcus, > > > > your first example > > > > <Reference URI="#xpointer(//*[@authenticate='true'])"> > > > > is correct. The other thing *would* be the escape sequence > which you need when sensing the URI as part of a GET request > to some web server, i.e. when the URI would be consumed and > cracked by an HTTP server. That is not the case at XML > Signature: the @URI attribute here is processed by an XML > Signature library, which does not expect that escaping. Doing > RFC2396 escaping in a ds:Reference/@URI is wrong (and just > feeding that into a concrete implementation should actually > give you that answer with some nice exception J). > > > > Best regards, > > Christian > > > > Europäisches Microsoft Innovations Center GmbH, Ritterstrasse > 23, D-52072 Aachen, Germany > > Geschäftsführer: Keith Dolliver, Benjamin O. Orndorff; > Amtsgericht Aachen, HRB 12066 > > http://www.microsoft.com/emic/ <http://www.microsoft.com/emic/> > > > > From: w3c-ietf-xmldsig-request@w3.org > [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of > Marcus.Ertel@Extern.Sparkassen-Informatik.de > Sent: Montag, 6. August 2007 14:26 > To: public-xmlsec-maintwg@w3.org > Cc: w3c-ietf-xmldsig@w3.org; Konrad.Lanz@iaik.tugraz.ac.at; > m.ertel@gmx.com; Heiko.Dittmann@Sparkassen-Informatik.de > Subject: XML Signature - Request for clarification [Virus checked] > > > > > Ladies and Gentlemen: > > Let me start with a brief introduction of the issue that > makes me ask for a clarification from your side. > My name is Marcus Ertel and I am with "Sparkassen > Informatik", one of the biggest IT service providers in > Germany. We are currently busy introducing the new money > transfer standard EBICS (Electronic Banking Internet > Communication Standard; please see > <http://www.ebics-zka.de/english/spec/specification_en.htm>) > which relies heavily on XML and particularly XML Signature. > > The various implementations of EBICS raised a discussion > concerning the handling of the Reference URI in the > SignedInfo element of an XML signature. The issue is, quite > briefly, as follows: > > The XML data of an EBICS message contain a <SignedInfo> > element with a <Reference URI> that contains an XPointer: > > <Reference URI="#xpointer(//*[@authenticate='true'])"> > > Now there's an ongoing discussion about the handling of this > URI before the calculation of the XML Signature. One opinion > is as follows: > In order to obtain a valid, RFC 2396 compliant URI, parts of > the Reference URI have to be escaped properly. Hence, the URI > fed into the signature process is as follows: > > <Reference > URI="#xpointer(%2F%2F*%5B%40authenticate%3D%27true%27%5D)"> > > On the other hand, there is quite the opposite opinion. Its > proponents say that no escaping at all is necessary, because > the URI consists of just an XPointer. And as all the > candidates for escaping are parts of this XPointer, they do > not infringe the requirements of RFC 2396. > > Could you please kindly advise on how to process this special > URI? We need this clarification because there are ISV's > providing the German banking software market with these two > implementations of the XML Signature standard. This in turn > leads to products unable to cope with each other while all of > them claim to be compliant with the XML Signature standard. > > Thank you very much in advance and best regards from Munich > > Marcus Ertel, Sparkassen Informatik > > Sparkassen Informatik GmbH & Co.KG > Richard-Reitzner-Allee 8 > 85540 München / Haar > > _____________________________________________________________________ > > Sparkassen Informatik GmbH & Co. KG, Theodor-Heuss-Allee 90, > D 60486 Frankfurt a.M. > Amtsgericht Frankfurt a.M. HRA 30059; > Aufsichtsratsvorsitzender: Dr. Rolf Gerlach; Persönlich > haftende Gesellschafterin: Sparkassen Informatik > Verwaltungsgesellschaft mbH, Sitz: Frankfurt a.M., > Amtsgericht Frankfurt a.M. HRB 52289, Geschäftsführer: > Fridolin Neumann (Vorsitzender), Franz-Theo Brockhoff (stv. > Vorsitzender), Werner Brunner (stv. Vorsitzender), Uwe > Katzenburg (stv. Vorsitzender), Willi Bär, Harald Lux; > Internet: http://www.sparkassen-informatik.de, E-Mail: > kontakt@sparkassen-informatik.de > >
Received on Thursday, 9 August 2007 15:58:24 UTC