- From: Ed Simon <edsimon@xmlsec.com>
- Date: Fri, 12 Apr 2002 17:04:34 -0400
- To: <xml-encryption@w3.org>
I suggest changing "Consequently, applications should be able to identify such attacks and restrict arbitrary recursion and the total amount of processing and networking resources a request can consume." to "Consequently, decryptors should allow limits on arbitrary recursion and the total amount of processing and networking resources a request can consume." Ed ----- Original Message ----- From: "Joseph Reagle" <reagle@w3.org> To: <aleksey@aleksey.com>; "Blair Dillaway" <blaird@microsoft.com> Cc: <xml-encryption@w3.org> Sent: Friday, April 12, 2002 4:54 PM Subject: Re: possible DoS attack > On Thursday 11 April 2002 13:08, Aleksey Sanin wrote: > > I don't suggest > > to change the XML Encryption design but I do think that a warning > > about possible problem is a good idea. > > > http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/#sec-Denial > $Revision: 1.181 $ on $Date: 2002/04/12 20:42:15 $ GMT > [[ > 6.4 Denial of Service > > This specification permits recursive processing. For example, the > following scenario is possible: EncryptedKey A requires EncryptedKey B to > be decrypted, which itself requires EncryptedKey A! Or, an attacker might > submit an EncryptedData for decryption that references network resources > that are very large or continually redirected. Consequently, applications > should be able to identify such attacks and restrict arbitrary recursion > and the total amount of processing and networking resources a request can > consume. > ]] > >
Received on Friday, 12 April 2002 17:05:03 UTC