W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2002

Re: EncryptionMethod in XMLEnc and SignatureMethod in XMLDSig

From: Joseph Reagle <reagle@w3.org>
Date: Mon, 8 Apr 2002 18:03:54 -0400
Message-Id: <200204082203.SAA10461@tux.w3.org>
To: aleksey@aleksey.com, Tom Gindin <tgindin@us.ibm.com>
Cc: xml-encryption@w3.org
On Friday 05 April 2002 21:37, Aleksey Sanin wrote:
> Exactly! Algorithm substitution attack as you are describing it is
> *exactly* the same as general attack "find signature for
>  algorithm+document without key".

I'm not sure (if) to what degree this conversation is interesting 
discussion of what is a substitution attach versus an outstanding objection 
to the element being optional. I think we're in interesting discussion 
territory and have noted the issue closed, "Reagle: agree it is 
inconsistent, but no harm done and no consensus to change." [1] If this is 
not correct, please let me know.


[1] http://www.w3.org/Encryption/2001/11/last-call-issues#CandidateREC



-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Monday, 8 April 2002 18:04:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:20 GMT