W3C home > Mailing lists > Public > www-xkms@w3.org > May 2005

Re: Questions reg. XKMS spec

From: Kenneth Jensen <xmlsec@gmail.com>
Date: Wed, 18 May 2005 23:19:40 +0200
Message-ID: <c3f7464b05051814195edfd847@mail.gmail.com>
To: www-xkms@w3.org

Hi Stephen,

On 5/18/05, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> Forget Locate - Validate with just a KeyValue is expected to
> happen often. I can even get a victim application to do the xkms
> query on my behalf, just by sending it a ds:Signature with a
> ds:KeyInfo that only contains a ds:KeyValue - which is basically
> the default case for xmlsig....

OK, I admit not having used xml-sig for anything but this project, but
even if my app would encounter a signature with just a
keyinfo/keyvalue element, it would still have some faint idea where
the document came from (email, webservice url, web url).
Verifying a signature based on just the keyvalue doesn't give me a
feeling of great security.

And if my application only knows the value of the key, how will it
know which XKMS service to ask for more information? I'm sorry if I
seem a bit blind on this...

> For a given key pair, that's roughly as likely as guessing the
> factorisation by chance, isn't it?

I totally agree with you, that for all practical purposes, this is a
non issue and the probability of success is as large as it is earning
those 40 mill. from mr. Takumbe in Nigeria, whose uncle died in a
plane crash, leaving a fortune of hundreds of millions, for which, he
just needs your 1000$ to withdraw.

Still, I'm writing a thesis, and my advisor wants me to come up with
something academical/theoretical, so it seemed worth a try to follow
the idea.  ;-)

Thanks for ranting along with me though.

Received on Wednesday, 18 May 2005 21:29:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:44 UTC