W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: Followup on I18N Last Call comments and disposition

From: John Cowan <cowan@locke.ccil.org>
Date: Fri, 7 Jul 2000 22:29:30 -0400 (EDT)
To: tgindin@us.ibm.com
cc: "Joseph M. Reagle Jr." <reagle@w3.org>, "Martin J. Duerst" <duerst@w3.org>, w3c-ietf-xmldsig@w3.org, John Boyer <jboyer@PureEdge.com>
Message-ID: <Pine.BSI.3.95.1000707222103.10658B-100000@locke.ccil.org>
On Fri, 7 Jul 2000 tgindin@us.ibm.com wrote:

>      In short, normalizing prior to digesting AVOIDS allowing
> inconsequential changes to change the digest.  If I have misunderstood the
> point of the section cited, I'm sure someone will correct me.

Your scenario is correct as far as it goes.  But consider a signed
document that contains an element or attribute named
"autorisation_de_découvert" ("credit limit").
A forged version of the document that contained the name
"autorization_de_de'couvert" (where ' = COMBINING ACUTE) would pass
a normalization + signature check.  However, the document processor
might well fail to recognize it as having the semantics of "credit limit"
and treat it as unknown and to be ignored.  Bad news: the forger
now appears to have unlimited credit!

-- 
John Cowan                                   cowan@ccil.org
C'est la` pourtant que se livre le sens du dire, de ce que, s'y conjuguant
le nyania qui bruit des sexes en compagnie, il supplee a ce qu'entre eux,
de rapport nyait pas.               -- Jacques Lacan, "L'Etourdit"
Received on Friday, 7 July 2000 21:52:48 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT