RE: Defective sign & encrypt vis-a-vis SAML?

[Jeremy Epstein <jepstein@webmethods.com>]

My apologies for sending that link.  You can get a PS version at
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps or an HTML version
at http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html, neither of
which require USENIX membership.

--Jeremy


> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Friday, July 13, 2001 4:31 PM
> To: 'Jeremy Epstein'; OASIS SSTC List
> Subject: RE: Defective sign & encrypt vis-a-vis SAML?
>
>
> This paper is restricted to USENIX members. Does anybody know
> where there is
> a public copy? (We are probably members, but I am sure it will be
> a pain to
> track down whoever knows the password.)
>
> Hal
>
> > -----Original Message-----
> > From: Jeremy Epstein [mailto:jepstein@webmethods.com]
> > Sent: Thursday, July 12, 2001 5:05 PM
> > To: OASIS SSTC List.
> > Subject: Defective sign & encrypt vis-a-vis SAML?
> >
> >
> > I'm sure many of you have heard about Don Davis' moderately
> > controversial
> > paper on defective sign & encrypt in S/MIME, XML Signature, and other
> > standards (see
> > http://www.usenix.org/publications/library/proceedings/usenix0
> 1/davis.html
> for the paper).  It's not that the crypto algorithms are broken, it's that
> they're being used in broken ways that allow surreptitious
> forwarding, among
> other things.
>
> Has anyone given any thought to the way SAML specifies signing &
> encrypting
> of assertions and other stuff?  This has been discussed briefly on the XML
> Encryption list...
>
> Or is it too soon to think about such a thing?
>
> --Jeremy
>
> -----------------------------------------------------------
> Jeremy Epstein                          voice: 703-460-5852
> Director, Product Security & Performance  FAX: 703-460-5999
> webMethods, Inc.                         cell: 703-989-8907
> Fairfax Virginia             email: jepstein@webMethods.com
> -----------------------------------------------------------