OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [wss] Recently discover WSS security threat


Thomas,

I think the section you reference intends to imply that a signature still 
might verify without applying the transforms 
because the inpput to and output from a transform might be equivalent.
For instance if C14N is specified and the message was serialized with C14N 
already applied, the signature 
would verify even if you skip the canonicalization.
In the context of the XPath expression this would not be the case.

Thanks,
Mike


"DeMartini, Thomas" <Thomas.DeMartini@CONTENTGUARD.COM> wrote on 
05/27/2005 10:26:22 PM:

> According to the DSIG spec, "core validation behavior does not confirm
> that the signed data was obtained by applying each step of the indicated
> transforms" (http://www.w3.org/TR/xmldsig-core/#sec-Security).
> Therefore, unless your post-transform data includes the fact that the
> abc header is a direct child of the soap:header element, core validation
> behaviour does not confirm that it is.
> 
> So whatever transform you use, the *output* of the transform has to look
> like:
> <soap:Envelope>
>   <soap:Header>
>     <my:header wsu:id="abc">
>        ...
>     </my:header>
>   </soap:Header>
>   <soap:Body>
>     ...
>   </soap:Body>
> </soap:Envelope>
> 
> You can write such a transform using the regular xpath transform instead
> of the xmldsig-filter2 transform, but it is much more complicated, as
> discussed in the xmldsig-filter2 spec.  It would have to look something
> like this (not debugged):
> 
> (ancestor-or-self::soap:Envelope and not (ancestor::soap:Header)) or
> ancestor-or-self::my:header[wsu:id='abc']
> 
> (Recall that the regular XPath transform returns all nodes for which the
> XPath evaluates to true.  Contrast this with the xmldsig-filter2
> transform which returns all nodes that are selected by the XPath.)
> 
> &Thomas.
> 
> ] -----Original Message-----
> ] From: Rich Salz [mailto:rsalz@datapower.com]
> ] Sent: Friday, May 27, 2005 5:57 PM
> ] To: DeMartini, Thomas
> ] Cc: Hal Lockhart; wss@lists.oasis-open.org
> ] Subject: RE: [wss] Recently discover WSS security threat
> ] 
> ] > Then you're still just signing the header and not the fact that the
> ] > header is *directly* inside the soap:Header element.
> ] 
> ] I don't see it.
> ]    /soap:envelope/soap:header/*[wsu:id='abc']
> ] As a simple XPath transform will find only nodes that are direct
> children
> ] of the header and who have the wsu:id attribute with the right value.
> ] 
> ] In other words, you can do it with a simple XPath transform, not the
> more
> ] complicated XPath2 transform. Right?
> ] 
> ]    /r$
> ] 
> ] --
> ] Rich Salz                  Chief Security Architect
> ] DataPower Technology       http://www.datapower.com
> ] XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]