- From: John Boyer <jboyer@uwi.com>
- Date: Fri, 12 Nov 1999 10:04:32 -0800
- To: "Greg Whitehead" <gwhitehead@signio.com>, "DSig Group" <w3c-ietf-xmldsig@w3.org>
Hi Greg, This is not the only concrete example. If you go back to the letter I sent (or indeed my IETF presentation conclusion) you will find that it is not only possible for transforms to reduce security but also to obliterate it entirely. Rather than omitting the SignatureMethod, simply omit the DigestValue from ObjectReferences, which disconnects the signer from the signed. Still, no application is going to create such signatures precisely because they will make such newsworthy fodder for the Bruce Schneier types of the world. Essentially, signing SignedInfo is an implied ObjectReference. Whatever fears we have about omission from SignedInfo are precisely the same fears for omission from referenced objects. It is a dangerous but necessary feature (and yes I can explain why (again) in painstaking detail for those who require it, or you could just come to heckle my presentation of the material at RSA2000). John Boyer Software Development Manager UWI.Com -- The Internet Forms Company I just thought of a concrete example: SignatureMethod is included in SignedInfo to protect against a downgrade attack, should one of the currently approved signature methods be broken. Allowing arbitrary transformation of SignedInfo could potentially defeat this protection by allowing an attacker to introduce a transformation that substitutes in a broken SignatureMethod along with a reference to a modified object and other changes (exploiting the broken signature method to produce the original SignatureValue over the modified SignedInfo). -Greg
Received on Friday, 12 November 1999 13:05:22 UTC