- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Tue, 4 Feb 2003 15:12:39 -0500
- To: Joseph Swaminathan <jswamina@cisco.com>
- Cc: Rich Salz <rsalz@datapower.com>, w3c-ietf-xmldsig@w3.org
Joseph: Some responses below. I think you've uncovered an actual attack against some possible RP software - not mainly by substituting X509yyy parameter values, but by adding KeyValue to them. The attack I see (against RP software in which KeyValue's are accepted) is that an attacker will extract the key from a certificate (probably in X509Certificate, but possibly retrieved elsewhere given some of the other parameters), create a KeyValue from it, and add a phony X509SubjectName. IMHO, you should be suspicious of a KeyInfo containing KeyValue and either X509IssuerSerial or X509SubjectName. Is there anybody on the list who creates such constructs in their software, and if so, why? Tom Gindin Joseph Swaminathan <jswamina@cisco.com>@w3.org on 02/04/2003 09:42:38 AM Sent by: w3c-ietf-xmldsig-request@w3.org To: Rich Salz <rsalz@datapower.com> cc: w3c-ietf-xmldsig@w3.org Subject: Re: X509 data element Rich Salz wrote: > > 1. When X509 certificate element is present, is there any need > > for X509IssuerSerial, X509SubjectName, X509SKI, elements. Is > > it possible for all of these to be present. If so, what is > > the significance of the later three, as the first one contains > > all of them. > > Many implementations actually provide more than one of the differnet > forms in the same signature. Yes, the certificate includes all the > other data, but it requires a fairly heavy-duty ASN1/DER parser. > Breaking out the alternate "lookup keys" is just "friendly," as it were. Since the signature value on the signature node only covers the signed info element, the individual x.509 elements present in the key info is not signed at all. In that case, how can these values be trusted, unless it is cross verified with x.509 certificate. [Tom] You can't verify the signature on the document without getting the public key info. This would have to be gotten either from the certificate (in which case you've got all the individual values to check) or KeyValue. Wont it be possible for a hacker to intercept the XML document and add these individual x.509 elements which is not consistent with x.509 certicate and change the signed info as he pleases. [Tom] The danger you are talking about would occur only if somebody were to specify KeyValue with one of those elements, and you were to take their word for it. thanks Joseph > > 2. Also, how is a certificate validated. Is it by > > That's a local trust issue, and depends on your implementation and > business requirements. A common 80/20 technique is to verify that the > certificate *or it's issuer* came from a locally-configured trusted list. > > /r$
Received on Tuesday, 4 February 2003 15:16:52 UTC