[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Update of public committee page (DSS-X)
Dear Chet,
I updated the "Group Notes" via kavi to add a new top list item under
Announcements:
"""
<li><b>Security Notice:</b> The DSS core 1.0 became OASIS standard in
2007. It defines an interface for signature creation and validation for
different signature formats and supports multiple variants to transport
the documents to be signed or verified. The combination of
InlineXML-option (XML-payload within the DSS transport document) and a
specially crafted XMLDSig allows an attacker to circumvent the
non-repudiation property of the signature. The details regarding this
problem are explained in detail in a short (<a
href="" href="https://www.oasis-open.org/committees/document.php?document_id=67357&wg_abbrev=dss-x" rel="noreferrer" target="_blank">https://www.oasis-open.org/committees/document.php?document_id=67357&wg_abbrev=dss-x">presentation</a>).
The recommended mitigation is to <b>move to DSS-X core 2.0</b>.
Alternatively, <b>deny the use of the InlineXML option</b>.'
</li>
"""
I am sorry if I forgot, but does this automatically update the public
page announcement section (after some time) or do I need to take an
additioal action? ... or maybe only OASIS admin can do?
Happy to receive any support in this matter.
All the best,
Stefan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]