xml-xmlbeans-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Waite <m...@akuma.org>
Subject Re: xmlbeans xml security
Date Fri, 02 Jul 2004 23:12:12 GMT
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001AprJun/ 
0363.html

(Sorry for the terseness, flying today)

-David Waite

On Jul 2, 2004, at 4:34 PM, Noah Campbell wrote:

> I read the c14n spec this morning.  They only talk about DTD and do
> not mention schemas at all.  This probably considers some
> clarification from w3c regarding the spec in regards to XML Schema.
> One could assume that only if a DTDs are present then the rules should
> be followed or one could try to duplicate the functionality with XML
> Schema.  I don't know which is best or even appropriate.
>
> Noah
>
> On Thu, 1 Jul 2004 21:26:33 -0700, Eric Vasilik <ericvas@bea.com>  
> wrote:
>>
>> Are you saying that c14n says that the canonicalized form for a  
>> document
>> must include defaulted attributes that were specified by an XmlSchema?
>> That is to say, if an element does not have attribute x, but the
>> XmlSchema it is bound has a default attribute value for x, the  
>> canonical
>> form must include that attribute?  The spec seems to suggest that the
>> default attrs specified in a DTD must be included, but, that's a  
>> parsing
>> issue for XmlBeans, and is irrelevant when producing the canonical  
>> form
>> for a loaded document in Xmlbeans.
>>
>> Right now, the saver does is not influenced by the schema associated
>> with the instance being saved.
>>
>> - Eric
>>
>> -----Original Message-----
>> From: David Waite [mailto:mass@akuma.org]
>> Sent: Thursday, July 01, 2004 2:48 PM
>> To: xmlbeans-dev@xml.apache.org
>> Subject: Re: xmlbeans xml security
>>
>> On Jul 1, 2004, at 3:30 PM, Noah Campbell wrote:
>>
>>> I'll assume that BEA's impl is not available for general consumption.
>>
>> I dunno what BEA's impl looks like :)
>>
>>>
>>> In regards to the current xmlstore, aren't the namespace names
>>> synthetic anyway?  I mean, you don't need to rely on the name except
>>> for its ability to link an element, etc to a namespace.  If someone  
>>> is
>>> passing information through the namespace name then this might be
>>> considered a potential leak if full infoset is preserved.  This is
>>> probably contrieved and sorta silly but it is still something to
>>> consider.
>>
>> In normal XML, sure. When you start canonicalizing xml, namespace
>> prefixes matter, because qname types require schema awareness on some
>> level to identify. If your canonicalized form allowed arbitrary
>> prefixes to be chosen, someone could conceivably change the meaning of
>> a document by putting a qname value in a different namespace.
>>
>> The only real awareness of a schema or dtd used by canonicalization is
>> expansion of attribute default types. I believe all the 'secure'
>> messages (ws-security, saml) avoid default namespaces so they don't
>> encounter this really ugly side-effect.
>>
>> The issue is that when you parse in xml, it uses a qname and stores  
>> the
>> namespace URI and the local name, but not the prefix. If you get a
>> signed document in which declares a namespace both with a prefix and  
>> as
>> the default namespace (perfectly valid) this breakage of infoset
>> fidelity will cause the canonical form to differ where the saver chose
>> a different namespace than was originally used, thus you will get a
>> different hash out, and have very little idea what happened.
>>
>>>
>>> (a silly side channel attack for example)
>>>
>>> <element xmlns:thePassphraseIsCheese="http://t.l.d/secureMessage">
>>>       <thePassphraseIsCheese:passphraseProtectedElement>
>>>                09832jkfadilafj#$@#rkfdali9fdalksdjf93aldkfja093ajfd
>>> <thePassphraseIsCheese:passphraseProtectedElement>
>>> </element>
>>>
>>
>> Yes, fire the developer who did this ;-)
>>
>> The issue is that the W3C allowed content to become dependent on
>> namespaces, as if namespaces weren't tricky enough as is. XPath
>> expressions and QName values in attributes and text nodes makes the
>> namespaces important, as a transformation that changes the namespaces
>> now needs to understand the context of the document which they are
>> placed on. So while you could make a filter which replaced the prefix
>> above with 'x0', it would need to know the schema, and would have to
>> filter _after_ canonicalization and any validation associated (such as
>> xml-dsig)
>>
>> -David Waite
>>
>> -  
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
>>
>>
>> -  
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
>>
>>
>
> - ---------------------------------------------------------------------
> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
>


- ---------------------------------------------------------------------
To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/


Mime
View raw message