OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [office] "XML vulnerability leads to calls for standards change"

It also has to do with being able to see data go by, block by block, and the ability to get in the middle and set the initialization vector - I'm working from memory here, and may not have exact details.

However, what it boils down to is that neither the OOXML or the ODF approaches to encryption are affected, and both are as good or bad as they were before this.

I'd tend to agree that the significance of the flaw may be overstated.

________________________________________
From: office@lists.oasis-open.org [office@lists.oasis-open.org] on behalf of Dennis E. Hamilton [dennis.hamilton@acm.org]
Sent: Monday, October 24, 2011 10:03 AM
To: office@lists.oasis-open.org
Subject: RE: [office] "XML vulnerability leads to calls for standards change"

I saw a separate notification of this on comp.risks.

The paper should be up on the ACM Digital Library at some point.  I will watch
for it.

Meanwhile, note that the vulnerability is in the use of CBC.  So long as CBC
is not used in conjunction with a block cipher, it may be the bullet is
escaped.  The default ODF 1.0/1.1/1.2 encryption uses 8-bit CFB, not CBC, with
Blowfish as the block cipher.  There needs to be more information.  I also
need to look through my comp.risks backlog to see what more information there
may be since the conference.

The suggestion that XML encryption should be scrapped is a bit over-the-top.
It will be interesting to see what the W3C folks come up with.  It isn't
really about XML but particular encryption procedures using block ciphers.
The vulnerabilities apply regardless of whether they are permitted in XML
Encryption or not.

 - Dennis

-----Original Message-----
From: office@lists.oasis-open.org [mailto:office@lists.oasis-open.org] On
Behalf Of robert_weir@us.ibm.com
Sent: Monday, October 24, 2011 08:48
To: office@lists.oasis-open.org
Subject: [office] "XML vulnerability leads to calls for standards change"

Any else see this?  Is it legit?

http://www.zdnetasia.com/xml-vulnerability-leads-to-calls-for-standards-change-62302612.htm


-Rob

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]