xml-xmlbeans-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Campbell <noahcampb...@gmail.com>
Subject Re: xmlbeans xml security
Date Thu, 01 Jul 2004 21:30:32 GMT
I'll assume that BEA's impl is not available for general consumption.

In regards to the current xmlstore, aren't the namespace names
synthetic anyway?  I mean, you don't need to rely on the name except
for its ability to link an element, etc to a namespace.  If someone is
passing information through the namespace name then this might be
considered a potential leak if full infoset is preserved.  This is
probably contrieved and sorta silly but it is still something to
consider.

(a silly side channel attack for example)

<element xmlns:thePassphraseIsCheese="http://t.l.d/secureMessage">
      <thePassphraseIsCheese:passphraseProtectedElement>
               09832jkfadilafj#$@#rkfdali9fdalksdjf93aldkfja093ajfd
<thePassphraseIsCheese:passphraseProtectedElement>
</element>

In regards to the DOM method, the idea is to speed up the processing
by leveraging the XmlCursor's ability to parse schema instance's
quickly.  The proof is in the pudding and I guess I need to write a
saver and compare the results.



On Thu, 1 Jul 2004 15:21:08 -0600, David Waite <mass@akuma.org> wrote:
> 
> We (the company I work for) already uses xmlbeans with xmlsec today; we
> just create a new DOM and sign that, then import the signature block
> back into the original xmlbeans message. Because the internal format is
> lossless, this works - as long as we explicitly declare all namespaces.
> 
> On the reverse side (verification) we again create a DOM and verify the
> signature off of it. We have a patch, as the v1 XmlBeans store does not
> have full infoset fidelity with respect to namespaces, in particular
> prefix information is lost. This is one patch of many on my plate to
> review and propose. :)
> 
> -David Waite
> 
> 
> 
> On Jul 1, 2004, at 1:13 PM, Noah Campbell wrote:
> 
> > I was looking at the xml-sec project for dsig.  They have a
> > CanonicalizerBase class that is meant to facilitate the c14n.  see
> > http://cvs.apache.org/viewcvs.cgi/xml-security/src/org/apache/xml/
> > security/c14n/implementations/
> > As assumed, they use the w3c dom for parsing and canonicalizing the
> > element.  Our version could would use xmlbeans and simply plug in
> > (knock on wood) and work.
> >
> > This is probably the first pass for a proof of concept and speed
> > comparison.  I don't know if there are any benchmarks made already,
> > but I can set up a harness for checking this.
> >
> > Noah
> >
> > On Thu, 01 Jul 2004 12:24:03 -0400, Joseph Hindsley
> > <jhindsley@providerlink.com> wrote:
> >>
> >> Hey all,
> >>
> >> Forgive me for not keeping up with this thread and my general
> >> ignorance
> >> of the whole topic, but when I was looking at XML signature a while
> >> back, I got the impression that c14n was one of many transforms that
> >> could be applied before the signing algorithm was applied. If you
> >> included an XPath transform in your signature, for example, you could
> >> limit the signature to only the elements specified in that XPath. Also
> >> there was 2 forms of c14n Canonicalization transform mentioned (and
> >> there may be others): Canonical XML and Exclusive Canonical XML
> >> (http://www.w3.org/Signature/).
> >>
> >> I guess my questions are, why limit the implementation to only doing a
> >> c14n transformation? Would it be possible to support transformations
> >> in
> >> general? Or tie into a project that does that already?
> >>
> >> Joe Hindsley
> >>
> >>
> >>
> >>
> >> On Thu, 2004-07-01 at 11:40, Eric Vasilik wrote:
> >>> I think that that producing c14n from an XmlBean is within the scope
> >>> of
> >>> XmlBeans.  Are there other aspects of security which would be
> >>> appropriate?
> >>>
> >>> - Eric
> >>>
> >>>> -----Original Message-----
> >>>> From: Ted Leung [mailto:twleung@sauria.com]
> >>>> Sent: Wednesday, June 30, 2004 10:23 PM
> >>>> To: xmlbeans-dev@xml.apache.org
> >>>> Subject: Re: xmlbeans xml security
> >>>>
> >>>> David,
> >>>>
> >>>> There is already an XML Security project at xml.apache.org.  Is
> >>>> there
> >>>> any
> >>>> chance of combining efforts with those folks on this?
> >>>>
> >>>> Ted
> >>>>
> >>>> On Jun 30, 2004, at 10:04 AM, David Remy wrote:
> >>>>
> >>>>> David (Waite),
> >>>>> I got the chance to meet with Noah Campbell for dinner Mon night
at
> >>>>> JavaOne and he expressed an interest in contributing in the are
of
> >>> xml
> >>>>> security.  I wonder if we should start a sandbox in cvs with a
> >>> security
> >>>>> directory that we could use to start experimenting on xml security
> >>> over
> >>>>> xmlbeans.  Unless someone has an issue with that I will go ahead
> >>>>> and
> >>> do
> >>>>> it (specifically under xml-xmlbeans create a subdirectory called
> >>>>> sandbox
> >>>>> and then a security directory under it).
> >>>>>
> >>>>> Perhaps we should get started on an XML Sig implementation and see
> >>> what
> >>>>> hurdles we run into.  I *believe* at some point we are going to
> >>>>> want
> >>> an
> >>>>> option on the xml store to keep things in the store canonically
so
> >>> that
> >>>>> the big c14n copy to create and validate signatures can be avoided.
> >>> In
> >>>>> the meantime though we could get started and therefore define any
> >>>>> requirements that the store might get.
> >>>>>
> >>>>> It only makes sense to have a security implementation in xmlbeans
> >>>>> if
> >>> we
> >>>>> can take advantage of the xml store to improve efficiency,
> >>>>> otherwise
> >>> we
> >>>>> should leave it to apache xml sec ...
> >>>>>
> >>>>> rem
> >>>>>
> >>>>> -
> >>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
> >>>>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
> >>>>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
> >>>>>
> >>>> ----
> >>>> Ted Leung                          Blog:
> >>>> <http://www.sauria.com/blog>
> >>>> PGP Fingerprint: 1003 7870 251F FA71 A59A  CEE3 BEBA 2B87 F5FC 4B42
> >>>>
> >>>>
> >>>> -
> >>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
> >>>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
> >>>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
> >>>
> >>>
> >>> -
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
> >>> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
> >>> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
> >>
> >> -
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
> >> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
> >> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
> >>
> >>
> >
> > - ---------------------------------------------------------------------
> > To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
> > For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
> > Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
> >
> 
> - ---------------------------------------------------------------------
> To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
> For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
> Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/
> 
>

- ---------------------------------------------------------------------
To unsubscribe, e-mail:   xmlbeans-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xmlbeans-dev-help@xml.apache.org
Apache XMLBeans Project -- URL: http://xml.apache.org/xmlbeans/


Mime
View raw message