ï
Hi folks,
here my draft of a text regarding the DSS core 1.0
non-repudiation problem and the recommended mitigations. We can
discuss it on tommorow's call:
'The DSS core 1.0 became OASIS standard in
2007. It defines
an interface for signature creation and validation for different
signature
formats and supports multiple variants to transport the documents
to be signed
or verified. The combination of InlineXML-option (XML-payload
within the DSS
transport document) and a specially crafted XMLDSig allows an
attacker to
circumvent the non-repudiation property of the signature. The
details regarding
this problem are explained in detail in a short presentation
(https://www.oasis-open.org/committees/document.php?document_id=67357&wg_abbrev=dss-x)
The recommended mitigation is to move to
DSS-X core 2.0. Alternatively,
the use of the InlineXML option.'
Greetings,
Andreas
--
Andreas KÃhne
Chair of OASIS DSS-X
phone: +49 177 293 24 97
mailto: kuehne@trustable.de
Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612
Director Andreas KÃhne
Company UK Company No: 5218868 Registered in England and Wales