W3C home > Mailing lists > Public > www-xkms@w3.org > June 2004

Re: Another question (Signatures)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Wed, 23 Jun 2004 12:19:03 +0100
Message-ID: <40D96727.4030106@cs.tcd.ie>
To: Berin Lautenbach <berin@wingsofhermes.org>
Cc: www-xkms@w3.org

Yes it should be mentioned if its not, so best is probably
to add this to the issues list so it gets properly checked.

Of course, I wouldn't be surprised if there were malware
variants of dsig (given that XPath is included!) that you
could come up with, but that's not an XKMS issue, its a
general dsig issue.

But, if anyone comes up with an interesting XKMS-specific
abuse of dsig then I'll buy 'em a beer or the politically
correct equivalent (E.g. using RetrievalMethod and multiple
XKMS clients/responders to generate an infintie loop? Probably
can't happen:-)


Berin Lautenbach wrote:

> Hey all,
> Another obvious thought (I'm good at them :>).
> I assume there is a requirement on implementations to ensure that the 
> signature(s) in a message actually refer(s) to the XKMS content.  That's 
> probably pretty obvious, but I can see some fairly trivial attacks 
> against implementations that just check a signature is valid without 
> ensuring that the reference actualy refers to the XKMS message.
> Is this something worth mentioning in the security section?
> Cheers,
>     Berin
Received on Wednesday, 23 June 2004 07:19:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:42 UTC