W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2002

Re: EncryptionMethod in XMLEnc and SignatureMethod in XMLDSig

From: Tom Gindin <tgindin@us.ibm.com>
Date: Tue, 9 Apr 2002 17:11:35 -0400
To: reagle@w3.org
Cc: aleksey@aleksey.com, xml-encryption@w3.org
Message-ID: <OF79B8413E.8E753468-ON85256B96.0073FC50@pok.ibm.com>


      I have just about reached the conclusion that it would be reasonable
to make SignatureMethod optional, but it's being mandatory is mostly
harmless and it's probably too late to change in XMLDSIG.  This discussion
is not going to result in any changes to XMLENC.

            Tom Gindin

Joseph Reagle <reagle@w3.org> on 04/08/2002 06:03:54 PM

Please respond to reagle@w3.org

To:    aleksey@aleksey.com, Tom Gindin/Watson/IBM@IBMUS
cc:    xml-encryption@w3.org
Subject:    Re: EncryptionMethod in XMLEnc and SignatureMethod in XMLDSig

On Friday 05 April 2002 21:37, Aleksey Sanin wrote:
> Exactly! Algorithm substitution attack as you are describing it is
> *exactly* the same as general attack "find signature for
>  algorithm+document without key".

I'm not sure (if) to what degree this conversation is interesting
discussion of what is a substitution attach versus an outstanding objection

to the element being optional. I think we're in interesting discussion
territory and have noted the issue closed, "Reagle: agree it is
inconsistent, but no harm done and no consensus to change." [1] If this is
not correct, please let me know.

[1] http://www.w3.org/Encryption/2001/11/last-call-issues#CandidateREC


Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Wednesday, 10 April 2002 08:01:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:03 UTC