- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Tue, 02 Apr 2002 15:39:21 +0200
- To: Karel Wouters <Karel.Wouters@esat.kuleuven.ac.be>, Aleksey Sanin <aleksey@aleksey.com>
- Cc: xml-encryption@w3.org
Hi Karel, but this attack is always possible, isn't it? If the verifying application allows (accepts) weak signature methods, an attacker can change the ds:SignatureMethod/@Algorithm value and the ds:SignatureValue . This attack does not depend on whether the SignatureMethod is optional or not. Or am I completely on the wrong track. Regards, Christian --On Dienstag, 2. April 2002 16:00 +0200 Karel Wouters <Karel.Wouters@esat.kuleuven.ac.be> wrote: > Hi, > > I think that SignatureMethod in ds:SignedInfo should be present in > each signature, because it restricts the attacker: > If I leave out SignatureMethod, the attacker might be able to come up with > a weaker SignatureMethod, tamper with the references and claim that the > signature was produced with this method. > RSA with a weak hash algorithm would suffice. > (actually, he might produce 'any' signature if the hash function is weak > enough) > > So specifying the SignatureMethod ensures the verifier that this signature > is generated with a solid technique. > > (mailinglist, correct me if I'm wrong) > > Karel. > > On Mon, 1 Apr 2002, Aleksey Sanin wrote: > >> Sorry for mistype, actually Imeant SignatureMethod in XMLDSig: >> >> A minor issue but probably it's worth to fix it: the EncryptionMethod >> in XMLEncryption and SignatureMethod in XMLDSig both have the same >> meaning: algorithm selection. However, EncryptionMethod is *optional* >> element and SignatureMethod is *required*. From my point of view it is >> inconsistent. Either both should be required or both should be optional. >> I would prefer the second (both optional) since application can have this >> information from the context. >> >> >> Aleksey Sanin <aleksey@aleksey.com> >> http://www.aleksey.com/xmlsec >> >> >
Received on Tuesday, 2 April 2002 08:34:57 UTC