RE: Security Question from Cutler, Roger (RogerCutler) on 2002-08-06 (www-ws-arch@w3.org from August 2002)

From: Cutler, Roger (RogerCutler) <RogerCutler@ChevronTexaco.com>
Date: Tue, 6 Aug 2002 07:59:35 -0700
To: "'Mark Baker'" <distobj@acm.org>, "Cutler, Roger (RogerCutler)" <RogerCutler@ChevronTexaco.com>
cc: www-ws-arch@w3.org
Message-ID: <7FCB5A9F010AAE419A79A54B44F3718E2EAE6F@bocnte2k3.boc.chevrontexaco.net>

Actually, "don't do it" was my answer too.  The subject came up in
discussion of some guidelines for use of XML in X12 recently published for
comment by DISA (http://www.x12.org/x12org/comments/index.cfm).  They
recommend avoiding the use of default and fixed values in schemas but don't
say much about why.  It seems to me that the issues I am raising are one
reason not to use these features.  In my comments I said, "Much better, I
think, to keep all the data in the XML document itself.  Avoid nasty
surprises."  Which seems somewhat similar to what you are saying.

Having said that, it does seem to me that it would be possible to include as
data within the XML document a digital signature (or checksum -- whatever
the encryption people call this thing) for the schema as well as version
information so that the receiver of the message can recalculate the
signature and check that the schema is, in fact, exactly the same as the one
used by the sender of the message.

-----Original Message-----
From: Mark Baker [mailto:distobj@acm.org] 
Sent: Tuesday, August 06, 2002 9:04 AM
To: Cutler, Roger (RogerCutler)
Cc: www-ws-arch@w3.org
Subject: Re: Security Question

On Mon, Aug 05, 2002 at 12:17:18PM -0700, Cutler, Roger (RogerCutler) wrote:
> I think my example was not a good one.  Basically, I am concerned that 
> schema validation may add to the data in an XML document and thus that 
> there are two linked "things" -- so how is that linkage made reliable?

IMO, making the meaning of a message depend on something external to a
message is a bad idea for lots of reasons.

FWIW, I contributed this to the ietf-xml-use work;

4.13 External References

   When using XML in the context of a stateless protocol, be it the
   protocol itself (e.g., SOAP), or simply as content transferred by an
   existing protocol (e.g., XML/HTTP), care must be taken to not make
   the meaning of a message depend on information outside the message
   itself.  XML provides external entities (see Section 4.12), which are
   an easy way to make the meaning of a message depend on something
   external.  Using schema languages that can change the Infoset, like
   XML Schema, is another way.

See;

http://www.imc.org/ietf-xml-use/draft-hollenbeck-ietf-xml-guidelines-05.txt

So my answer would be; don't do that. 8-)

MB
-- 
Mark Baker, CTO, Idokorro Mobile (formerly Planetfred)
Ottawa, Ontario, CANADA.               distobj@acm.org
http://www.markbaker.ca        http://www.idokorro.com

Received on Tuesday, 6 August 2002 11:00:18 UTC