Dominik Schadow

Category: XML

  • XML Signature and Canonical XML 2.0 drafts available

    The W3C has published two first drafts XML Signature Syntax and Processing and Canonical XML of the upcoming version 2.0. The new XML Signature version promises more simplicity and more performance. Chapter 10 lists the differences to the current version. In short: New namespace dsig2, Canonical XML 2.0 and a completely changed transformation model which…

  • Apache Santuario 1.4.3 available

    Version 1.4.3 of Apache XML Security (Santuario) is available. In case you do use this API you should update as soon as possible to the new release. This release doesn't provide any new features, but includes a lot of bug fixes, including a correction for the relatively serious security vulnerability that has been discovered lately.

  • HMAC truncation authentication bypass in XML Signature

    There is a vulnerability with XML Signatures. The W3C recommendation includes support for HMAC truncation, as specified in RFC2104. The thing is, this support is not complete: The RFC does not allow truncation to less than half of the length of the hash output or less than 80 bits (whatever comes first). The XML Signature…

  • XML Signatures for widgets

    The WebApps working group has published a first working draft of the Widgets 1.0: Digital Signatures recommendation. This is normally neither my working nor my research area. But this recommendation makes already use of XML Signature 1.1 and is a really cool and obvious usage scenario for XML Signatures. Since the widgets are based on…

  • A whole bunch of new XML Security working drafts

    The W3C XML Security Working Group has released eight first public working drafts last week, from updated XML Encryption 1.1 and XML Signature 1.1 specifications to even some new ones. Among others, these drafts include revisions to XML Signature and XML Encryption to support new algorithms and a new document proposing simplifications to the XML…

  • Best Practices für XML Signatures

    Das W3C hat vor einigen Tagen unter http://www.w3.org/TR/2008/WD-xmldsig-bestpractices-20081114/ eine Sammlung von 16 Best Practices für die digitalen Signaturen mit XML veröffentlicht. Noch ist es ein Working Draft (d.h. Kommentare sind bei der Working Group willkommen), aber ein erster Blick darauf kann keinem schaden, der mit XML Signatures zu tun hat. Generell geht es mit den…