[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] RE: [wss-comment] Id clash case
> As Manveen has pointed out, I do not think that WS-Security clearly > handles the case where a wsu:id attribute has the same value as another > id attribute that is NOT from the wsu namespace e.g. xml:id. > > Mike: Do you want to extend the WSS uniqueness constraint to cover the > case where another id attribute (not in the wsu namespace) has the same > value as a wsu:id attribute? It's a hard problem. Unless every party seeing the message knows (such as via Schema) about every ID attribute in the entire message, then the "confusion" attack is still possible, as are various denial of service attacks (inserting a new header with the same attribute but a different hash value). Meeting that requirement isn't possible, and even if we could, it'd lead to very brittle and tightly bound applications, which we don't want. The best thing is probably to encourage that dsig:Reference/@URI values *only* point to wsu:id attributes. We can expect that all WSS-aware toolkits to understand that one. There will probably be pushback to use xml:id, which is probably safe, too. Perhaps the rationale just mentions this issue, and WS-I profile makes it a MUST. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]