The attached paper (attached with permission of its authors) describes
in detail the attack vector described in my 2009 April [1] post and
subsequent discussions (looks like we independently became concerned
about the same issue). Please review it so that we discuss whether there
is general agreement that we need to address it.
Thanks,
Ed
[1] http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/0025.html
-------- Forwarded Message --------
From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
To: edsimon@xmlsec.com, Meiko Jensen <Meiko.Jensen@rub.de>, Jörg Schwenk
<joerg.schwenk@rub.de>, 'Thomas Roessler' <tlr@w3.org>, 'Frederick
Hirsch' <Frederick.Hirsch@nokia.com>
Subject: Re: namespace wrapping attacks against XML Signature?
Date: Tue, 24 Nov 2009 10:51:42 +0100 (CET)
Hi Ed, see below...
Ed Simon schrieb am 2009-11-23:
> Thanks Meiko,
...
> Is the W3C allowed to post your paper to the W3C public archive list?
Feel free to do so :)
best regards from Bochum, Germany
Meiko
> Regards,
> Ed
--
========================================
Ed Simon
613-726-9645
edsimon@xmlsec.com