OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Raw chat trace of meeting #184 on 2017-SEP-04

[18:01] Stefan Hagen: DSS-X Conference Call #184, Monday, 04 September 2017, 1800 - 1900 CEST

Acting chair: Stefan Hagen

1. Welcome by the chair (Stefan Hagen)
[18:02] Stefan Hagen: Voting Members: 4 of 5 (80%) (used for quorum calculation)
[18:02] Stefan Hagen: we are quorate
[18:03] Stefan Hagen: 1. Welcome by the chair (Stefan Hagen)

2. Minutes taker

All write into the chat, Stefan assembles and uploads into document area.
[18:04] Stefan Hagen: 3. Roll call

Voting members present:

Andreas Kuehne
Ernst Jan van Nigtevecht
Juan Carlos Cruellas
Stefan Hagen

Acronyms/short hand: (AK, EJvN, JCC, SH)

Quroum reached.

Participation info at Event-URL:

Regrets: Detlef Huehnlein
[18:04] Stefan Hagen: 4. Approval of the agenda
[18:04] Stefan Hagen: Approved unchanged as published.

5. Approval of minutes from previous calls

5.1 Meeting minutes of #183 on 2017-JUL-31

[18:05] Stefan Hagen: Approved unchanged as published.
[18:05] Stefan Hagen: 6. Core v2.0 issues discussion
[18:06] Stefan Hagen: 6.1 Mitigation of protocol level threats
6.1.1 Defending against "Exploiting the use of canonicalization as content extractor"
Discussion on "To embed or not to embed XML fragments"
[18:07] Stefan Hagen: JCC: Asks if there has been any complaint or report of any such attack?
[18:08] Stefan Hagen: JCC: Has not heard of anything of this kind in any W3C XML Request/response payloads
[18:09] Stefan Hagen: JCC: Encoding the signature in base64 does not mitigate the threat, but only enforce another stage of wrapping to the attacker
[18:11] Stefan Hagen: JCC: Thus he is strongly opposed to forbidding inline xml signatures in DSS v2.0 based on unproven facts.
[18:14] Stefan Hagen: AK: Mentions adds two aspects: The paper from Rur Uni Bochum, and 2) the second step we use for Inline XML, and the latter he exploited with the sample code (Note: focus on the additional step we allow in DSS v1).
[18:15] Stefan Hagen: JCC and AK discuss the matter.
[18:19] Stefan Hagen: JCC: Mentions subtree detach and extraction on XML trees and that during intro tests these did lead to problems, and one could resolve it by removing these inherited structures from canonicalization
[18:20] Stefan Hagen: AK: Differentiates, that you may get rid of the subtree but not of the consequences of namespace manipulation
[18:20] Stefan Hagen: AK: Explains that the problem seems to be (if present) in the slit between the first and the second step in our processing protocol.
[18:22] Stefan Hagen: JCC: We did not prescribe an extra step of canonicalisation, but an exclusive canonicalisation.
[18:22] Stefan Hagen: JCC: Imagines, we can remove the exclusive canonicalisation step in future version
[18:22] Stefan Hagen: AK: The server is not able to detect the changes nevertheless
[18:23] Stefan Hagen: AK: Sees no path in processing in that situation to not include that problem
[18:24] Stefan Hagen: ALL discuss the scenario and possible processing procedures to not risk that gap
[18:29] Stefan Hagen: AK: Reminds everyone, that his PoC focuses on exploitation of the effect of inherited namespaces
[18:29] Stefan Hagen: AK: Again: There are 2 unrelated possible issues we all want to resolve.
[18:34] Stefan Hagen: AK: The giving back control to an attacker between two processing steps is in his view the possible attack we want to exclude
[18:40] Stefan Hagen: JCC: Reads from DSSv1 spec, that in contrast to the document object, this is not allowed for the signature object
[18:41] Stefan Hagen: AK: Still sees problems with any kind of inheritance that might change the subtree, and thus could lead to an attacker being able to exploit this difference in her favor
[18:49] Stefan Hagen: EJvN: Suggests to produce a base document so we can see these processing paths that could lead to validating vs. non-validating signatures w.r.t. the same document side by side
[18:49] Stefan Hagen: AK: Had already tried with the slides, but will try again better 
[18:50] Stefan Hagen: JCC: Notes, that on these slides, it seems, like the labels of with vs. without exclusive canoncicalization were mixed up
[18:52] Stefan Hagen: AK: Suggests to stop discussing todays, and will provide a second draft so we can clarify among ourselves
[18:53] Stefan Hagen: 6.2 Conversion and validation tools for the DOCX, JSON, and XSD "triangle"
6.2.1 Proposal / Analysis from Andreas Kuehne
URL = https://lists.oasis-open.org/archives/dss-x/201708/msg00102.html

Skipped (next meeting)
7. Profiles


8. AOB
[18:53] Stefan Hagen: None
[18:54] Stefan Hagen: 9. Next meetings 

9.1 Next Neeting

Mon, 18 September 2017 DSS-X Conference Call 185:
[18:54] Stefan Hagen: Agreed
[18:54] Stefan Hagen: Meeting adjourned by chair

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]