OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss] RE: <DocumentURI>

I pretty much agree with everything  Trevor wrote, except that I want to 
emphasize this:

> There's a security concern, if the client asks the server to sign 
> something the server has access to, but the client doesn't.

It is a HUGE security issue.  Suppose, for example, the DSS is running 
on a Unix box and I send it a request for an enveloping signature of 
"file:///home/root/passwords" or some such?

Suppose I say "here's the URL I want you to sign", but the URL is one of 
those phony "click here to get off our mailing list" spam things?

etc.

	/r$
-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]