It seems we can draw the following conclusions: 1) NIST violates best practice 24 2) Oracle's workaround #1 violates best-practice #25, and 3) Neither necessarily implies susceptibility to a wrapping attack Thanks for all your assistance! (Harold -- feel free to cross-post my responses) Regards, --David Solin On 10/23/2014 8:40 AM, Cantor, Scott wrote: > On 10/23/14, 9:26 AM, "Booth, Harold" <harold.booth@nist.gov> wrote: > >> Hi Scott, >> >> Thank you for your responses. If I read your responses correctly: > That all looks accurate to me. > >> Do you mind if I forward both of your responses to the mailing list >> (scap-dev@nist.gov) from which the discussion of this issue began? > Sure. > >> You did a better job than I did countering the misconceptions >> surrounding signature wrapping attacks and how to avoid them and I would >> also like to be sure the group on that list are aware of those issues as >> well as both best practices. > I wasn't too precise in that email in discussing IDs and wrapping attacks, > which are a fairly deep swamp, but if it's helpful, sure. > > -- Scott > -- jOVAL.org: SCAP Simplified. Learn More <http://www.joval.org> | Features <http://www.joval.org/features/> | Download <http://www.joval.org/download/>
Received on Thursday, 23 October 2014 20:50:04 UTC