- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Tue, 9 Apr 2002 17:11:35 -0400
- To: reagle@w3.org
- Cc: aleksey@aleksey.com, xml-encryption@w3.org
Joseph:
I have just about reached the conclusion that it would be reasonable
to make SignatureMethod optional, but it's being mandatory is mostly
harmless and it's probably too late to change in XMLDSIG. This discussion
is not going to result in any changes to XMLENC.
Tom Gindin
Joseph Reagle <reagle@w3.org> on 04/08/2002 06:03:54 PM
Please respond to reagle@w3.org
To: aleksey@aleksey.com, Tom Gindin/Watson/IBM@IBMUS
cc: xml-encryption@w3.org
Subject: Re: EncryptionMethod in XMLEnc and SignatureMethod in XMLDSig
On Friday 05 April 2002 21:37, Aleksey Sanin wrote:
> Exactly! Algorithm substitution attack as you are describing it is
> *exactly* the same as general attack "find signature for
> algorithm+document without key".
I'm not sure (if) to what degree this conversation is interesting
discussion of what is a substitution attach versus an outstanding objection
to the element being optional. I think we're in interesting discussion
territory and have noted the issue closed, "Reagle: agree it is
inconsistent, but no harm done and no consensus to change." [1] If this is
not correct, please let me know.
[1] http://www.w3.org/Encryption/2001/11/last-call-issues#CandidateREC
--
Joseph Reagle Jr. http://www.w3.org/People/Reagle/
W3C Policy Analyst mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/
W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Wednesday, 10 April 2002 08:01:29 UTC