- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Tue, 9 Apr 2002 17:11:35 -0400
- To: reagle@w3.org
- Cc: aleksey@aleksey.com, xml-encryption@w3.org
Joseph: I have just about reached the conclusion that it would be reasonable to make SignatureMethod optional, but it's being mandatory is mostly harmless and it's probably too late to change in XMLDSIG. This discussion is not going to result in any changes to XMLENC. Tom Gindin Joseph Reagle <reagle@w3.org> on 04/08/2002 06:03:54 PM Please respond to reagle@w3.org To: aleksey@aleksey.com, Tom Gindin/Watson/IBM@IBMUS cc: xml-encryption@w3.org Subject: Re: EncryptionMethod in XMLEnc and SignatureMethod in XMLDSig On Friday 05 April 2002 21:37, Aleksey Sanin wrote: > Exactly! Algorithm substitution attack as you are describing it is > *exactly* the same as general attack "find signature for > algorithm+document without key". I'm not sure (if) to what degree this conversation is interesting discussion of what is a substitution attach versus an outstanding objection to the element being optional. I think we're in interesting discussion territory and have noted the issue closed, "Reagle: agree it is inconsistent, but no harm done and no consensus to change." [1] If this is not correct, please let me know. [1] http://www.w3.org/Encryption/2001/11/last-call-issues#CandidateREC -- Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Wednesday, 10 April 2002 08:01:29 UTC