- From: Joseph Reagle <reagle@w3.org>
- Date: Fri, 12 Apr 2002 16:54:41 -0400
- To: aleksey@aleksey.com, Blair Dillaway <blaird@microsoft.com>
- Cc: xml-encryption@w3.org
On Thursday 11 April 2002 13:08, Aleksey Sanin wrote: > I don't suggest > to change the XML Encryption design but I do think that a warning > about possible problem is a good idea. http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/#sec-Denial $Revision: 1.181 $ on $Date: 2002/04/12 20:42:15 $ GMT [[ 6.4 Denial of Service This specification permits recursive processing. For example, the following scenario is possible: EncryptedKey A requires EncryptedKey B to be decrypted, which itself requires EncryptedKey A! Or, an attacker might submit an EncryptedData for decryption that references network resources that are very large or continually redirected. Consequently, applications should be able to identify such attacks and restrict arbitrary recursion and the total amount of processing and networking resources a request can consume. ]]
Received on Friday, 12 April 2002 16:54:44 UTC