W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2002

Re: possible DoS attack

From: Ed Simon <edsimon@xmlsec.com>
Date: Fri, 12 Apr 2002 17:04:34 -0400
Message-ID: <000701c1e265$a62d5e90$f2a0fea9@DJQC7111>
To: <xml-encryption@w3.org>
I suggest changing

"Consequently, applications should be able to identify such attacks and
restrict arbitrary recursion and the total amount of processing and
networking resources a request can consume."

to

"Consequently, decryptors should allow limits on arbitrary recursion and the
total amount of processing and networking resources a request can consume."

Ed
----- Original Message -----
From: "Joseph Reagle" <reagle@w3.org>
To: <aleksey@aleksey.com>; "Blair Dillaway" <blaird@microsoft.com>
Cc: <xml-encryption@w3.org>
Sent: Friday, April 12, 2002 4:54 PM
Subject: Re: possible DoS attack


> On Thursday 11 April 2002 13:08, Aleksey Sanin wrote:
> > I don't suggest
> > to change the XML Encryption design but I do think that a warning
> > about possible problem is a good idea.
>
>
> http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/#sec-Denial
> $Revision: 1.181 $ on $Date: 2002/04/12 20:42:15 $ GMT
> [[
> 6.4 Denial of Service
>
>  This specification permits recursive processing. For example, the
> following scenario is possible: EncryptedKey A requires EncryptedKey B to
> be decrypted, which itself requires EncryptedKey A! Or, an attacker might
> submit an EncryptedData for decryption that references network resources
> that are very large or continually redirected. Consequently, applications
> should be able to identify such attacks and restrict arbitrary recursion
> and the total amount of processing and networking resources a request can
> consume.
> ]]
>
>
Received on Friday, 12 April 2002 17:05:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:20 GMT