Re: question on insecure Id/ID/id search method

[steel scorpion]

From: Erwin van der Koogh <[EMAIL PROTECTED]>

Somewhere in your code you have a reference to a particular ID, but it's 
not always possible to see what attributes are of type ID. To
Not sure I understand this completely. Does this mean that, from a
parser/resolver point of view, it is impossible to find out the type of
an attribute? For example, if I have the following two schemas,
does it mean that it's impossible to distinguish between the two?
==== Schema 1: id is of type "xs:ID" ==================

<?xml version="1.0" encoding="UTF-8"?>
<xs:schema elementFormDefault="qualified" xml:lang="EN"
        targetNamespace="http://www.mydomain.com/demo/Test";
        xmlns:test="http://www.mydomain.com/demo/Test";
        xmlns:xs="http://www.w3.org/2001/XMLSchema";>
	<xs:element name="TestO" type="test:TestType"/>

        <xs:complexType name="TestType">
                <xs:sequence>
                        <xs:element name="Name" type="xs:string"/>
                        <xs:element name="Value" type="xs:integer"/>
                </xs:sequence>
                <xs:attribute name="id" type="xs:ID"/>
        </xs:complexType>
</xs:schema>

==== Schema 2: id is of type "xs:string" ==================

<?xml version="1.0" encoding="UTF-8"?>
<xs:schema elementFormDefault="qualified" xml:lang="EN"
        targetNamespace="http://www.mydomain.com/demo/Test2";
        xmlns:test="http://www.mydomain.com/demo/Test2";
        xmlns:xs="http://www.w3.org/2001/XMLSchema";>
	<xs:element name="TestO" type="test:TestType"/>

        <xs:complexType name="TestType">
                <xs:sequence>
                        <xs:element name="Name" type="xs:string"/>
                        <xs:element name="Value" type="xs:integer"/>
                </xs:sequence>
                <xs:attribute name="id" type="xs:string"/>
        </xs:complexType>
</xs:schema>


make it easier to program we have included an IDResolver that instead tries 
to guess what you want by trying to find attributes called Id/ID/id. This 
is potentially insecure as someone could introduce XML that would be picked 
instead, change the XML you tried to sign. It's then possible that when you 
verify the signature you verify the copy of the XML. Then there is the risk 
that you take the modified XML and use that instead.

Sounds reasonable.

A little bit fabricated, but potentially insecure, depending on how you use 
the library.

The prefered way would be to use a custom Resolver. See the examples ;)
Which resolver? You mean, like the OfflineResolver? Or are you talking about
the IdResolver?
Thanks

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963