- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Wed, 5 Feb 2003 14:22:46 -0500
- To: Rich Salz <rsalz@datapower.com>
- Cc: Joseph Swaminathan <jswamina@cisco.com>, w3c-ietf-xmldsig@w3.org
Rich:
My own position is a little different. I think that the presence of
both KeyValue and X509SubjectName suggests that X509SubjectName is
unreliable, and is likely (not just possibly) the aftereffect of an attack.
On a similar subject, is it really a good idea for X509Certificate to be
present with either X509SubjectName or X509IssuerSerial? If the RP
application uses the smaller field for display purposes to avoid the
complexity of parsing the certificate, it opens a similar attack to the
KeyValue/SubjectName one, and if it doesn't the smaller field is pointless.
Tom Gindin
Rich Salz <rsalz@datapower.com> on 02/05/2003 01:33:17 PM
To: Joseph Swaminathan <jswamina@cisco.com>
cc: Tom Gindin/Watson/IBM@IBMUS, w3c-ietf-xmldsig@w3.org
Subject: Re: X509 data element
> My question is, if there is a content in the XML document we
> cannot trust, then shouldnt we, not use it for any purpose. What
> situation a data which can't be trusted be useful.
Signature validation might be performed by a third-party service that
has no knowledge of the signer identities; separating authentication
from authorization. Perhaps it might help if you think of validation as
a tri-state: trusted, untrusted, and indeterminate.
<example removed>
Your example can be summarized like this: the organization is using
unsigned data in its operations, and that can be hacked. I agree. But
that's irrelevant here.
/r$
Received on Wednesday, 5 February 2003 14:24:29 UTC