W3C home > Mailing lists > Public > www-xkms@w3.org > June 2004

Re: Another question (Signatures)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Wed, 23 Jun 2004 12:19:03 +0100
Message-ID: <40D96727.4030106@cs.tcd.ie>
To: Berin Lautenbach <berin@wingsofhermes.org>
Cc: www-xkms@w3.org


Yes it should be mentioned if its not, so best is probably
to add this to the issues list so it gets properly checked.

Of course, I wouldn't be surprised if there were malware
variants of dsig (given that XPath is included!) that you
could come up with, but that's not an XKMS issue, its a
general dsig issue.

But, if anyone comes up with an interesting XKMS-specific
abuse of dsig then I'll buy 'em a beer or the politically
correct equivalent (E.g. using RetrievalMethod and multiple
XKMS clients/responders to generate an infintie loop? Probably
can't happen:-)

Cheers,
S.

Berin Lautenbach wrote:

> 
> Hey all,
> 
> Another obvious thought (I'm good at them :>).
> 
> I assume there is a requirement on implementations to ensure that the 
> signature(s) in a message actually refer(s) to the XKMS content.  That's 
> probably pretty obvious, but I can see some fairly trivial attacks 
> against implementations that just check a signature is valid without 
> ensuring that the reference actualy refers to the XKMS message.
> 
> Is this something worth mentioning in the security section?
> 
> Cheers,
>     Berin
> 
Received on Wednesday, 23 June 2004 07:19:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:22 GMT