RE: [wss] Issue 389: Detection of Duplicate IDs

[Rich Salz <rsalz@datapower.com>]

> 3.	If there are any duplicate values amongst any of the attributes
> of type ID, then the XML document is not valid.
>
> Note that not valid is not the same as not well-formed.

Note that to be valid you MUST have a DTD.

> I think the WSS stacks will have to at least collect up all the wsu:Id,
> xenc:*/ID and ds:*/ID attributes and check them for uniqueness. I can
> also see given implementations that support SAML tokens including those
> attributes too.

Yes, an implementation will have to scan the ones it knows about.  A
risk is if an adversary knows about others that not all the other parts of
(sender,sender stack) and (receiver, receiver stack) know about.  One way
to address this is to require that the target of any dsig:Reference/@URI
fragments MUST point to a wsu:Id.  Since validity allows only one ID
attribute per element, and since validity requires a DTD, then validity
isn't relevant here, and we could have multiple ID attributes. I'm not
sure that's a good thing.

Schema tries to address some of validity items for ID's, but it requires
all recipients to have all schemas relevant to the message.  That kinda
defeats the purpose of loose coupling.

I still think the simple XPath transform is the only safe thing to do,
although I don't like it.
	/r$

-- 
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html