W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2002

Re: possible DoS attack

From: Joseph Reagle <reagle@w3.org>
Date: Fri, 12 Apr 2002 16:54:41 -0400
Message-Id: <200204122054.QAA22481@tux.w3.org>
To: aleksey@aleksey.com, Blair Dillaway <blaird@microsoft.com>
Cc: xml-encryption@w3.org
On Thursday 11 April 2002 13:08, Aleksey Sanin wrote:
> I don't suggest
> to change the XML Encryption design but I do think that a warning
> about possible problem is a good idea.


http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/#sec-Denial
$Revision: 1.181 $ on $Date: 2002/04/12 20:42:15 $ GMT
[[
6.4 Denial of Service 

 This specification permits recursive processing. For example, the 
following scenario is possible: EncryptedKey A requires EncryptedKey B to 
be decrypted, which itself requires EncryptedKey A! Or, an attacker might 
submit an EncryptedData for decryption that references network resources 
that are very large or continually redirected. Consequently, applications 
should be able to identify such attacks and restrict arbitrary recursion 
and the total amount of processing and networking resources a request can 
consume. 
]]
Received on Friday, 12 April 2002 16:54:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:20 GMT