Errata for XML Signature 2nd Edition

This document:
http://www.w3.org/2008/06/xmldsigcore-errata.html
Last revised:
$Date: 2009/12/09 10:47:06 $
This document records known errata in:
http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/
The latest version of the XML Signature Recommendation:
http://www.w3.org/TR/xmldsig-core/

About this document

This document lists known errata to the Recommendation. Each entry has the following information:

  1. A unique identifier
  2. The date it was added to the errata page
  3. A classification of the error (e.g., editorial, clarification, bug, known problem with the document itself)
  4. A short description of the problem and what part of the Recommendation is affected.
  5. Any proposed corrections and whether those corrections would affect conformance of documents or software
  6. Any normative corrections; see the section on Errata Management in the W3C Process Document ([PROCESS] section 7.6.1) for more information about normative corrections

Errata

All Errata in this document are proposed in the sense of the process document. Proposed errata become normative when they are incorporated into an edited (or otherwise updated) version of the underlying specification.

E01: Error in example in section 2.1

Added:
2008-12-15 roessler
Accepted
XML Security WG 2009-06-09
Raised:
28 August 2008
Class:
editorial
Affects conformance:
No

The Simple Example should include a leading < character on the closing DigestValue tag in line [s10]:

[s10]     <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>

E02: Obsolete and incorrect material in section 9

Added:
2009-06-12 roessler
Accepted:
XML Security WG 2009-06-09
Raised:
10 May 2009
Class:
editorial
Affects conformance:
No

Section 9.0, Schema, DTD, Data Model, and Valid Examples should only contain the XML Signature Schema Instance and XML Signature DTD material. The RDF Data Model is out of date, so that material should be removed from the section. The examples should also be removed from the section since they are misleading (e.g. including a "null transform"). The recommendation contains suitable examples in other sections. The title of the section should be changed to "Schema and DTD" in the heading and table of contents.

E03: HMAC truncation (CVE-2009-0217)

Added:
2009-07-14 roessler
Accepted:
XML Security WG 2009-04-21 (minuted offline)
Class:
substantive
Affects conformance:
yes

The following text is added to section 4.3.2 The SignatureMethod Element:

The ds:HMACOutputLength parameter is used for HMAC algorithms (including the HMAC-SHA1 algorithm defined in this spec, and HMAC algorithms based on other hash algorithms). The parameter specifies a truncation length in bits. If this parameter is trusted without further verification, then this can lead to a security bypass [CVE-2009-0217]. Signatures MUST be deemed invalid if the truncation length is below half the underlying hash algorithm's output length, or 80 bits, whichever of these two values is greater. Note that some implementations are known to not accept truncation lengths that are lower than the underlying hash algorithm's output length.

The first paragraph of section 6.3.1 HMAC is changed as follows:

The HMAC-SHA1 algorithm (RFC2104 [HMAC]) takes the truncation length in bits as a parameter; if the parameter is not specified, then all the bits of the hash are output. For the HMAC-SHA1 algorithm, any signature with a truncation length of less than 80 bits MUST be deemed invalid. An example of an HMAC-SHA1 SignatureMethod element: ...

This erratum addresses a vulnerability in a number of implementations of XML Signature. See CVE-2009-0217 and CERT Vulnerability Note 466161 for details.

E04: HMAC padding

Added:
2009-12-09 roessler
Accepted:
XML Security WG 2009-12-08
Class:
substantive
Affects conformance:
yes

The following text is added to section 6.3.1 HMAC:

For best interoperability, signature applications SHOULD set the HMACOutputLength parameter to a value that is a multiple of 8. If the HMACOutputLength parameter is not divisible by 8, verifiers MAY use the nearest multiple of 8 that is smaller than HMACOutputLength instead; the previous considerations about minimum values for HMACOutputLength apply. This optional cut-off is equivalent to ignoring the rightmost 1-7 bits of the HMAC's output.
$Id: xmldsigcore-errata.html,v 1.7 2009/12/09 10:47:06 roessler Exp $