Hey all, Another obvious thought (I'm good at them :>). I assume there is a requirement on implementations to ensure that the signature(s) in a message actually refer(s) to the XKMS content. That's probably pretty obvious, but I can see some fairly trivial attacks against implementations that just check a signature is valid without ensuring that the reference actualy refers to the XKMS message. Is this something worth mentioning in the security section? Cheers, BerinReceived on Wednesday, 23 June 2004 07:05:26 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2007 14:31:00 GMT