OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [office] "XML vulnerability leads to calls for standards change"


I saw a separate notification of this on comp.risks.

The paper should be up on the ACM Digital Library at some point.  I will watch 
for it.

Meanwhile, note that the vulnerability is in the use of CBC.  So long as CBC 
is not used in conjunction with a block cipher, it may be the bullet is 
escaped.  The default ODF 1.0/1.1/1.2 encryption uses 8-bit CFB, not CBC, with 
Blowfish as the block cipher.  There needs to be more information.  I also 
need to look through my comp.risks backlog to see what more information there 
may be since the conference.

The suggestion that XML encryption should be scrapped is a bit over-the-top. 
It will be interesting to see what the W3C folks come up with.  It isn't 
really about XML but particular encryption procedures using block ciphers. 
The vulnerabilities apply regardless of whether they are permitted in XML 
Encryption or not.

 - Dennis

-----Original Message-----
From: office@lists.oasis-open.org [mailto:office@lists.oasis-open.org] On 
Behalf Of robert_weir@us.ibm.com
Sent: Monday, October 24, 2011 08:48
To: office@lists.oasis-open.org
Subject: [office] "XML vulnerability leads to calls for standards change"

Any else see this?  Is it legit?

http://www.zdnetasia.com/xml-vulnerability-leads-to-calls-for-standards-change-62302612.htm


-Rob

Attachment: smime.p7s
Description: S/MIME cryptographic signature



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]