You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2008/03/18 18:27:15 UTC
DO NOT REPLY [Bug 44629] New: Switch order of XML Signature
validation steps
https://issues.apache.org/bugzilla/show_bug.cgi?id=44629
Summary: Switch order of XML Signature validation steps
Product: Security
Version: Java 1.4.1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: sean.mullan@sun.com
The XMLDSig specification lists the order of operations in core validation as
first validating the digests, and then the signature. This order is not a
requirement but the Java XMLSec implementation chose to implement it in this
order.
The reverse order (validating the signature first and then the digests) is
actually safer and leads to earlier detection of invalid signatures, as this
would detect attempts to insert or modify information in the SignedInfo element
before validating the references. For example, this would detect attempts to
insert malicious transforms before they are executed, or any modification of
the contents of the SignedInfo.
See Brad Hill's paper for more information:
http://www.w3.org/2007/xmlsec/ws/papers/04-hill-isecpartners
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 44629] Switch order of XML Signature validation
steps
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44629
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.