- From: Berin Lautenbach <berin@wingsofhermes.org>
- Date: Wed, 23 Jun 2004 21:05:23 +1000
- To: www-xkms@w3.org
Hey all, Another obvious thought (I'm good at them :>). I assume there is a requirement on implementations to ensure that the signature(s) in a message actually refer(s) to the XKMS content. That's probably pretty obvious, but I can see some fairly trivial attacks against implementations that just check a signature is valid without ensuring that the reference actualy refers to the XKMS message. Is this something worth mentioning in the security section? Cheers, Berin
Received on Wednesday, 23 June 2004 07:05:26 UTC