- From: Amir Herzberg <AMIR@newgenpay.com>
- Date: Mon, 16 Apr 2001 18:52:34 +0300
- To: "Xml Encrypt (E-mail)" <xml-encryption@w3.org>
Unfortunately I'm also kind of lurking now for a while (deadlines...) but let me briefly answer Jeremy.... > Amir Herzberg wrote (in response to Joseph Reagle's comments on the subject): > >The problem is beyond that of a transform, since it is the result of > >the encryption itself - if proper precautions are not taken. > Specifically, > >a dishonest signer can send a signed message sign(E_k(m)) > but when there's > >a dispute, and the recipient is showing > <k,E_k(m),sign(E_k(m))>, the sender > >produces another pair <k',E_k'(m'),sign()> where > E_k'(m')=E_k(m). Or a > >dishonest recipient may find such <k',m'>. So I believe XML > Encrypt should > >address this concern. > > I agree with Amir that signing encrypted documents isn't > ideal. If I'm > understanding correctly, this is an example of a traditional birthday > attack. As a non-cryptographer, how feasible are birthday This is not a birthday attack at all. It is a `classical` choosen-signature attack. I.e. the attacker here is a dishonest signer who..., well, I guess I'll end repeating what I said before, and considering my current time pressure I'll hope that suggesting you re-read my note will suffice (or if not ask again and I'll elaborate). > I have no problem with noting this as a security > consideration (as I believe Joseph Reagle suggested). Indeed, I believe Joseph has embedded the necessary language in the recommendation already. > > Cryptographers, please prove me right or wrong! Hope you are convinced now. Best regards, Amir Herzberg CTO, NewGenPay Inc. See our demo and overview/tutorials on secure e-commerce in http://www.NewGenPay.com
Received on Monday, 16 April 2001 11:49:21 UTC