[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Issue 389: Detection of Duplicate IDs
> 3. If there are any duplicate values amongst any of the attributes > of type ID, then the XML document is not valid. > > Note that not valid is not the same as not well-formed. Note that to be valid you MUST have a DTD. > I think the WSS stacks will have to at least collect up all the wsu:Id, > xenc:*/ID and ds:*/ID attributes and check them for uniqueness. I can > also see given implementations that support SAML tokens including those > attributes too. Yes, an implementation will have to scan the ones it knows about. A risk is if an adversary knows about others that not all the other parts of (sender,sender stack) and (receiver, receiver stack) know about. One way to address this is to require that the target of any dsig:Reference/@URI fragments MUST point to a wsu:Id. Since validity allows only one ID attribute per element, and since validity requires a DTD, then validity isn't relevant here, and we could have multiple ID attributes. I'm not sure that's a good thing. Schema tries to address some of validity items for ID's, but it requires all recipients to have all schemas relevant to the message. That kinda defeats the purpose of loose coupling. I still think the simple XPath transform is the only safe thing to do, although I don't like it. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]