Re: [wss] Recently discover WSS security threat

[Rich Salz <rsalz@datapower.com>]

> "The semantics of the XPath transform" is not one of the steps.
> Therefore the answer is unresponsive to the question "which of these
> steps".

Okay.  MU -- unask the question.    I don't think the layer between 
signature-code and application code must be restricted to those two steps.

> http://www.oasis-open.org/apps/org/workgroup/wss/email/archives/200506/m
> sg00026.html.

My answer to your questions would be
	Yes, that works, but I don't think it's necessary since it's very 
complex, not required, and seems to be based on a specific information 
model.

> ] a signature comes in that includes an XSLT transform.  Do you
> ] then forward the result of running the XSLT instead of the data
> ] that's actually in the message?
> 
> Yes, that is my reading of the DSIG spec.  It also seems to be the most
> secure thing to do.

My view is that this runs counter to "see what is being signed," section 
8.1.3, http://www.w3.org/TR/xmldsig-core/#sec-See .  Also, I'm not sure 
if including an XSLT implementation in the DSIG implementation is the 
most secure way to do things -- the more I can leave out, the more 
secure it is, I think.

> I'm unconvinced policy alone can solve this problem.

My neither.  But it's where the herd is moving, so it stands the best 
chance of having the broadest set of solutions for the broadest set of 
implementations.

	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html