OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [ebxml-msg] Whitespace problem with XMLDSIG usage in ebMSS


Where I see a problem we cannot dismiss with a warning is when SOAP nodes
add/remove items in transit -- things which have an actor.  If an element (say
AckRequested or SyncReply) is added with an extra blank line, or if at the
intermediary an extra blank line is removed with the element, this will
invalidate the signature.  I agree with Sanjay, it is not reasonable to expect
intermediaries to add/remove elements without disturbing the signature.  His
solution fixes this potential problem.

I also agree with Doug about the cost of adding a transform, but this looks
necessary.

We could probably solve the problem with a warning if we did not allow anything
targeted to Next or NextMSH.

Regards,

David.

-----Original Message-----
From: Doug Bunting [mailto:dougb62@yahoo.com]
Sent: Wednesday, December 19, 2001 3:04 PM
To: Rich Salz; David Fischer
Cc: Cherian Sanjay; ebxml-msg@lists.oasis-open.org; Damodaran Suresh
Subject: Re: [ebxml-msg] Whitespace problem with XMLDSIG usage in ebMSS


I agree with Rich and think his reasoning can be extended to the underlying
problem as well.  Because the XSLT transform described doesn't come for
free, couldn't we recommend the xml:space="preserve" attribute be set for
the entire soap:Envelope or equivalent handling?

This is probably a general disagreement with the "unreasonable to expect
such an MSH to preserve irrelevant whitespace" point.  If we can require an
MSH to preserve whitespace in the SignedInfo element, why not in the
referenced signed material?

I certainly agree with Sanjay it is not intuitively obvious why the existing
canonicalization methods don't remove trivial whitespace.  That's balanced
against our need to support receivers not using verifying parsers (also the
"why" canonicalization works as it does) and the high cost of the
transformation described.  Therefore, I'm recommending not adding this
additional transform and instead requiring implementations to avoid the
underlying problem.

We'll need to discuss what "avoid the underlying problem" truly means
because I'm not sure xml:space has been consistently implemented in the XML
parser marketplace.  It also only requires the application layer learns of
all whitespace in the affected elements, not inclusion of that whitespace in
a related document created by the application layer.  In this context, the
"application layer" is anything above the XML parser, including the SOAP
processor, signature validator and MSH handler.

By the way, the XSLT block (if we do decide to use it) seems to contain a
typo.  Shouldn't
    <xsl:apply-templates select='@*'/>
    <xsl:apply-templates/>
instead be
    <xsl:apply-templates select='@*'>
    </xsl:apply-templates>
or
    <xsl:apply-templates select='@*'/>
I'm probably misremembering something that's not intuitive about XSLT...

thanx,
    doug

----- Original Message -----
From: "Rich Salz" <rsalz@zolera.com>
To: "David Fischer" <david@drummondgroup.com>
Cc: "Cherian, Sanjay" <Sanjay_Cherian@stercomm.com>;
<ebxml-msg@lists.oasis-open.org>; "Damodaran, Suresh"
<Suresh_Damodaran@stercomm.com>
Sent: Wednesday, 19 December 2001 12:14
Subject: Re: [ebxml-msg] Whitespace problem with XMLDSIG usage in ebMSS


Impressive analysis Sanjay.

I disagree with one part:

>The solution to this latter problem is to require MSHs to apply the XSL
>transform to ds:SignedInfo elements BEFORE signing and BEFORE verifying
> (that is, before the XMLDSIG implementation gets the envelope).

This is often not possible.  In many DSIG toolkits, the ds:SignedInfo is
generated by the signing code, and the application has no capability to
generate or modify it.

I think the only practical thing is to include a warning that
intermediate MSH's must treat at least ds:Signature elements as if the
xml:space="preserve" attribute is set.
/r$

--
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC