Re: In relation to DSS Action Item - 06-04-24-01 - C14N Note

[Konrad Lanz <Konrad.Lanz@labs.cio.gv.at>]

Hi Hal,

sorry if my mail was not clear enough.

However I assumed the proposal was as discussed in previous
teleconferences firstly to forward the following text to the wss mailing
list.
And secondly to potentially get a discussion in the W3C about specifying
"context free extraction" on the XPath data model (or XML Infoset) started.
Something similar to: http://www.w3.org/Submission/xpl/#infoset-extraction,
however distinct in not inheriting namespaces and inheritable attributes
and
performing canonicalization.

best regards
Konrad

It is well known that problems of spurious validation errors can occur
with XML Digital Signature due to the inclusion of different namespace
declarations under the signature than those included when the signature
was calculated. The Exclusive Canonicalization Algorithm was devised to
address this issue. However, during our work, the OASIS Digital
Signature Services Technical Committee has identified additional cases
where this may occur.

If expressions (XPath-Expressions) inside XPath-Filters (or XPath-Filters
2.0), XSLT etc.. used in the chain of transforms
(i.e. <ds:Reference>/<ds:Transforms>/<ds:Transform>) are used in a
way so that they may also refer to parts of the surrounding context, e.g. a
transport protocol, the output will be different depending on whether
the document is inside that context or not. This can result in spurious
validation errors.

Such transformations walk up the XPath ancestor-axis or refer to absolute
parts that may be changed by processing and include or exclude elements
depending on the existence or values of attributes or elements of the
transport
protocol.

Hence somebody may repudiate to have created a valid signature if s/he has
the possibility to choose the context in which the signature is to be
verified.
I.e.: The signature is valid in one system, but invalid in another one.

The following line in WSS 1.1 section 8
<http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf#page=35>

"... Instead, messages SHOULD explicitly include the elements to be
signed. ..."

suggests that explicit referencing of the relevant elements and their
children to be signed is sufficient to prevent false negatives caused by
changes to the transport protocol (i.e. soap headers).
As mentioned above this isn't the case.

Also the use of SOAP normalization as recommended in WSS 1.1 section 8.1
<http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf#page=36> 

is not
sufficient as long as it is not performed as the first transform in the
chain
of transforms and then followed by canonicalization.
This would assure that elements and attributes removed from the nodeset
cannot
be navigated via XPath and the underlying document anymore.

The means identified by the OASIS Digital Signature Services Technical
Committee to assure consistent behavior is "context free extraction"
of signed inline XML content as in section 3.3.2 Process Variant
for <InlineXML>
<http://docs.oasis-open.org/dss/v1.0/oasis-dss-1.0-core-spec-cd-r4.pdf#page=22>.

Hal Lockhart wrote:
> I am sorry; I can't make any sense of this message. Are you proposing
> something?
>
> Hal
>
>   
>> -----Original Message-----
>> From: Konrad Lanz [mailto:Konrad.Lanz@iaik.tugraz.at]
>> Sent: Monday, August 21, 2006 12:31 PM
>> To: Konrad Lanz
>> Cc: Hal Lockhart; DSS TC List
>> Subject: Re: In relation to DSS Action Item - 06-04-24-01 - C14N Note
>>
>> Konrad Lanz wrote:
>>     
>>> depending on the
>>>       
>> existence or values of attributes or elements of the transport
>>     
> protocol.
>   
>> <sorry I forgot, this bit.>
>>
>> --
>> Konrad Lanz, IAIK/SIC - Graz University of Technology
>> Inffeldgasse 16a, 8010 Graz, Austria
>> Tel: +43 316 873 5547
>> Fax: +43 316 873 5520
>> https://www.iaik.tugraz.at/aboutus/people/lanz
>> http://jce.iaik.tugraz.at
>>
>> Certificate chain (including the EuroPKI root certificate):
>> https://europki.iaik.at/ca/europki-at/cert_download.htm
>>     
>
>