- From: Kenneth Jensen <xmlsec@gmail.com>
- Date: Wed, 18 May 2005 23:19:40 +0200
- To: www-xkms@w3.org
Hi Stephen, On 5/18/05, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > Forget Locate - Validate with just a KeyValue is expected to > happen often. I can even get a victim application to do the xkms > query on my behalf, just by sending it a ds:Signature with a > ds:KeyInfo that only contains a ds:KeyValue - which is basically > the default case for xmlsig.... OK, I admit not having used xml-sig for anything but this project, but even if my app would encounter a signature with just a keyinfo/keyvalue element, it would still have some faint idea where the document came from (email, webservice url, web url). Verifying a signature based on just the keyvalue doesn't give me a feeling of great security. And if my application only knows the value of the key, how will it know which XKMS service to ask for more information? I'm sorry if I seem a bit blind on this... > For a given key pair, that's roughly as likely as guessing the > factorisation by chance, isn't it? I totally agree with you, that for all practical purposes, this is a non issue and the probability of success is as large as it is earning those 40 mill. from mr. Takumbe in Nigeria, whose uncle died in a plane crash, leaving a fortune of hundreds of millions, for which, he just needs your 1000$ to withdraw. Still, I'm writing a thesis, and my advisor wants me to come up with something academical/theoretical, so it seemed worth a try to follow the idea. ;-) Thanks for ranting along with me though. --- Cheers, Kenneth
Received on Wednesday, 18 May 2005 21:29:34 UTC