[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Draft 'DSS core 1.0 non-repudiation attack'
Hi folks,
here my draft of a text regarding the DSS core 1.0 non-repudiation problem and the recommended mitigations. We can discuss it on tommorow's call:
'The DSS core 1.0 became OASIS standard in 2007. It defines an interface for signature creation and validation for different signature formats and supports multiple variants to transport the documents to be signed or verified. The combination of InlineXML-option (XML-payload within the DSS transport document) and a specially crafted XMLDSig allows an attacker to circumvent the non-repudiation property of the signature. The details regarding this problem are explained in detail in a short presentation (https://www.oasis-open.org/committees/document.php?document_id=67357&wg_abbrev=dss-x)
The recommended mitigation is to move to DSS-X core 2.0. Alternatively, the use of the InlineXML option.'
Greetings,
Andreas
-- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]