santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44629] New: Switch order of XML Signature validation steps
Date Tue, 18 Mar 2008 17:27:15 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=44629

           Summary: Switch order of XML Signature validation steps
           Product: Security
           Version: Java 1.4.1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: sean.mullan@sun.com


The XMLDSig specification lists the order of operations in core validation as
first validating the digests, and then the signature. This order is not a
requirement but the Java XMLSec implementation chose to implement it in this
order. 

The reverse order (validating the signature first and then the digests) is
actually safer and leads to earlier detection of invalid signatures, as this
would detect attempts to insert or modify information in the SignedInfo element
before validating the references. For example, this would detect attempts to
insert malicious transforms before they are executed, or any modification of
the contents of the SignedInfo.

See Brad Hill's paper for more information:
http://www.w3.org/2007/xmlsec/ws/papers/04-hill-isecpartners


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Mime
View raw message