- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Wed, 23 Jun 2004 12:19:03 +0100
- To: Berin Lautenbach <berin@wingsofhermes.org>
- Cc: www-xkms@w3.org
Yes it should be mentioned if its not, so best is probably to add this to the issues list so it gets properly checked. Of course, I wouldn't be surprised if there were malware variants of dsig (given that XPath is included!) that you could come up with, but that's not an XKMS issue, its a general dsig issue. But, if anyone comes up with an interesting XKMS-specific abuse of dsig then I'll buy 'em a beer or the politically correct equivalent (E.g. using RetrievalMethod and multiple XKMS clients/responders to generate an infintie loop? Probably can't happen:-) Cheers, S. Berin Lautenbach wrote: > > Hey all, > > Another obvious thought (I'm good at them :>). > > I assume there is a requirement on implementations to ensure that the > signature(s) in a message actually refer(s) to the XKMS content. That's > probably pretty obvious, but I can see some fairly trivial attacks > against implementations that just check a signature is valid without > ensuring that the reference actualy refers to the XKMS message. > > Is this something worth mentioning in the security section? > > Cheers, > Berin >
Received on Wednesday, 23 June 2004 07:19:19 UTC