OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [dss-x] Draft 'DSS core 1.0 non-repudiation attack'


Hi,

thank you for persevering with this topic, Andreas! Much appreciated.

Maybe better end the statement with a recommendation like

The recommended mitigation is to move to DSS-X core 2.0. Alternatively, deny the use of the InlineXML option.'

Or similar?

Best,
Stefan

Am 28.06.2020 um 20:15 schrieb Andreas Kuehne <kuehne@trustable.de>:

ï

Hi folks,


here my draft of a text regarding the DSS core 1.0 non-repudiation problem and the recommended mitigations. We can discuss it on tommorow's call:

'The DSS core 1.0 became OASIS standard in 2007. It defines an interface for signature creation and validation for different signature formats and supports multiple variants to transport the documents to be signed or verified. The combination of InlineXML-option (XML-payload within the DSS transport document) and a specially crafted XMLDSig allows an attacker to circumvent the non-repudiation property of the signature. The details regarding this problem are explained in detail in a short presentation (https://www.oasis-open.org/committees/document.php?document_id=67357&wg_abbrev=dss-x)

The recommended mitigation is to move to DSS-X core 2.0. Alternatively, the use of the InlineXML option.'


Greetings,


Andreas

-- 
Andreas KÃhne 

Chair of OASIS DSS-X
 
phone: +49 177 293 24 97 
mailto: kuehne@trustable.de

Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612

Director Andreas KÃhne

Company UK Company No: 5218868 Registered in England and Wales


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]