W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2001

Re: XML Signature Verification Response Interoperability/Schema Proposal

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Tue, 18 Dec 2001 12:32:24 +0100
To: "Manoj K. Srivastava" <manoj@infomosaic.com>, w3c-ietf-xmldsig@w3.org
Cc: xml-dsig-verification-schema@yahoogroups.com
Message-ID: <3656397595.1008678744@pinkpanther>
Hi Manoj,

--On Montag, 17. Dezember 2001 17:46 -0800 "Manoj K. Srivastava" 
<manoj@infomosaic.com> wrote:

> I would like to collaborate with people involved with XML Signatures to
> define a schema for providing XML Signature Verification results. As W3C
> DSIG standard leaves this completely to the discretion of application
> developers, an alternative effort is needed to define this schema. It
> will help make XML Signatures widely usable.

I think that you have to be very careful about how many information your 
implementation gives the application/user/attacker about a non-verifying 
signature. I know that there have been successful attacks on SSL because 
the server was too noisy and provided to much information about protocol 
failures. It must be ensured that such information cannot be exploited by 
an attacker.

Regards,
Christian
Received on Tuesday, 18 December 2001 06:29:31 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:14 GMT