OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: i018 Absolute XPath expressions

Signed XML re-writing attacks take advantage of the position independence 
(you can move the target element and the reference still resolves) of 
IDREF signature references. The sp:OnlySignEntireHeadersAndBody assertion 
can help prevent these attacks when only the soap:Body and children of the 
soap:Header element are to be signed. However, when other elements are 
referenced in a signature it may be necessary to use a position dependent 
reference mechanism such as an absolute path XPath expression. For a 
detailed explanation of this issue see:
 
http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf

Note that not this example XPath expression uses an absolute path:
        a) /soap:Envelope/soap:Header/wsa:ReplyTo
and this example does not use an absolute path:
        b) //wsa:ReplyTo
While all elements resulting from evaluating "a" are also returned by 
evaluating "b", the reverse is not necessarily true. "b" does not protect 
against the element being moved after it is signed.

Proposal

Before Line 606 Add:

/sp:SignedParts/sp:Header/@UsePositionalReference
This optional attribute indicates that the specified SOAP header element 
must be integrity protected in a way that prevents repositioning the 
element in the message. If this attribute is "1" (true) and XML Signature 
is used to protect the integrity of the element, the reference must use an 
absolute path XPath expression. If this attribute is not specified the 
default is "0" (false).

Before Line 626 Add:

/sp:SignedElements/@UsePositionalReference
This optional attribute indicates that the specified element(s) must be 
integrity protected in a way that prevents repositioning the element(s) in 
the message. If this attribute is "1" (true) and XML Signature is used to 
protect the integrity of the element(s), the reference(s) must use an 
absolute path XPath expression. If this attribute is not specified the 
default is "0" (false).

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]