[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] OASIS DSS "Request for Feedback" - Signing Templates
> This can happen on KeySelector just as easily as it can on KeyInfo, it is > just a matter of how one instructs the server to create signatures. I'm not so sure. The server can always "protect" itself by putting in the X509Certificate element that it has "on file." > I believe the benefit, especially in the area of complex > Reference/Transform combinations outways the very few "slip by the server" > concerns, which should be carefully validated anyway. I'm not so sure. For example, if I ask for an embedded signature with an xslt transform -- i.e., the server will return the "modified" document with signature to me -- then I could probably coerce the server into giving me files on its local disk that it doesn't want to: <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116"> <xsl:template> <xsl:variable name="x"> <noise>file<noise>:///etc</noise>/<noise/> <noise/>passwd </noise> </xsl:variable> <tns:foo> <!-- The document call does an implicit "xsl:string" call on its argument, which means it ends up with file:///etc/passwd the URL for the password file on many unix-like systems. --> <xsl:copy><xsl:value-of select="document($x)"/></xsl:copy> </tns:foo> </xsl:template> </dsig:Transform> Is it reasonable to expect a DSS server to understand the semantics of xslt so that it can protect itself from this? Probably not. Is it reasonasble to require a DSS server to appropriate hook itself into the xslt engine that it uses, so that it can verify all document() calls? Maybe. But there's also xsl:include, xsl:import, external entities therein, etc. > This I believe is up > to the implementation, afterall it is the server that has the last word. But > I see your point about having the core "Warn" implementations to be careful. Warn, in the sense that Ivan is a spring zephyr. :) > Please remember, feedback is being solicited on the core versus profile > decision, not on the virtues/pitfalls of templates. Yup, I understand. That is why I want them to be a separate profile, so that my server be compliant, not implement them, and therefore be more secure. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]