[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: REVISED Proposal: i018 Absolute XPath expressions
Revised Proposal: Note: Line numbers are form the version @ http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17050/ws-securitypolicy-1.2-spec-ed-01-r04.doc Append the following to the list of algorithm suites (@line 1276): "[Abs XPath] Absolute Path XPath Expression" Append the following to the table of abbreviations and algorithm URIs (@line 1277): "AbsXPath http://http://docs.oasis-open.org/...TBD.../AbsXPath" Insert the following to the list of algorithm suites (@line 1390): "<sp:AbsXPath ... />" Append the following to the list of algorithm suites (@line 1444): "/sp:AlgorithmSuite/wsp:Policy/sp:AbsXPath This assertion indicates that the [XPath] property is set to 'AbsXPath'." Thanks, Mike Michael McIntosh/Watson/IBM@IBMUS wrote on 02/07/2006 05:15:08 PM: > Signed XML re-writing attacks take advantage of the position independence > (you can move the target element and the reference still resolves) of > IDREF signature references. The sp:OnlySignEntireHeadersAndBody assertion > can help prevent these attacks when only the soap:Body and children of the > soap:Header element are to be signed. However, when other elements are > referenced in a signature it may be necessary to use a position dependent > reference mechanism such as an absolute path XPath expression. For a > detailed explanation of this issue see: > > http://domino.research.ibm.com/library/cyberdig. > nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf > > Note that not this example XPath expression uses an absolute path: > a) /soap:Envelope/soap:Header/wsa:ReplyTo > and this example does not use an absolute path: > b) //wsa:ReplyTo > While all elements resulting from evaluating "a" are also returned by > evaluating "b", the reverse is not necessarily true. "b" does not protect > against the element being moved after it is signed. > > Proposal > > Before Line 606 Add: > > /sp:SignedParts/sp:Header/@UsePositionalReference > This optional attribute indicates that the specified SOAP header element > must be integrity protected in a way that prevents repositioning the > element in the message. If this attribute is "1" (true) and XML Signature > is used to protect the integrity of the element, the reference must use an > absolute path XPath expression. If this attribute is not specified the > default is "0" (false). > > Before Line 626 Add: > > /sp:SignedElements/@UsePositionalReference > This optional attribute indicates that the specified element(s) must be > integrity protected in a way that prevents repositioning the element(s) in > the message. If this attribute is "1" (true) and XML Signature is used to > protect the integrity of the element(s), the reference(s) must use an > absolute path XPath expression. If this attribute is not specified the > default is "0" (false).
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]