Re: Another question (Signatures)

Yes it should be mentioned if its not, so best is probably
to add this to the issues list so it gets properly checked.

Of course, I wouldn't be surprised if there were malware
variants of dsig (given that XPath is included!) that you
could come up with, but that's not an XKMS issue, its a
general dsig issue.

But, if anyone comes up with an interesting XKMS-specific
abuse of dsig then I'll buy 'em a beer or the politically
correct equivalent (E.g. using RetrievalMethod and multiple
XKMS clients/responders to generate an infintie loop? Probably
can't happen:-)


Berin Lautenbach wrote:

> Hey all,
> Another obvious thought (I'm good at them :>).
> I assume there is a requirement on implementations to ensure that the 
> signature(s) in a message actually refer(s) to the XKMS content.  That's 
> probably pretty obvious, but I can see some fairly trivial attacks 
> against implementations that just check a signature is valid without 
> ensuring that the reference actualy refers to the XKMS message.
> Is this something worth mentioning in the security section?
> Cheers,
>     Berin

Received on Wednesday, 23 June 2004 07:19:19 UTC