The attached paper (attached with permission of its authors) describes in detail the attack vector described in my 2009 April [1] post and subsequent discussions (looks like we independently became concerned about the same issue). Please review it so that we discuss whether there is general agreement that we need to address it. Thanks, Ed [1] http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/0025.html -------- Forwarded Message -------- From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de> To: edsimon@xmlsec.com, Meiko Jensen <Meiko.Jensen@rub.de>, Jörg Schwenk <joerg.schwenk@rub.de>, 'Thomas Roessler' <tlr@w3.org>, 'Frederick Hirsch' <Frederick.Hirsch@nokia.com> Subject: Re: namespace wrapping attacks against XML Signature? Date: Tue, 24 Nov 2009 10:51:42 +0100 (CET) Hi Ed, see below... Ed Simon schrieb am 2009-11-23: > Thanks Meiko, ... > Is the W3C allowed to post your paper to the W3C public archive list? Feel free to do so :) best regards from Bochum, Germany Meiko > Regards, > Ed -- ======================================== Ed Simon 613-726-9645 edsimon@xmlsec.com
Received on Tuesday, 1 December 2009 21:09:29 UTC