[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [office] "XML vulnerability leads to calls for standards change"
It also has to do with being able to see data go by, block by block, and the ability to get in the middle and set the initialization vector - I'm working from memory here, and may not have exact details. However, what it boils down to is that neither the OOXML or the ODF approaches to encryption are affected, and both are as good or bad as they were before this. I'd tend to agree that the significance of the flaw may be overstated. ________________________________________ From: office@lists.oasis-open.org [office@lists.oasis-open.org] on behalf of Dennis E. Hamilton [dennis.hamilton@acm.org] Sent: Monday, October 24, 2011 10:03 AM To: office@lists.oasis-open.org Subject: RE: [office] "XML vulnerability leads to calls for standards change" I saw a separate notification of this on comp.risks. The paper should be up on the ACM Digital Library at some point. I will watch for it. Meanwhile, note that the vulnerability is in the use of CBC. So long as CBC is not used in conjunction with a block cipher, it may be the bullet is escaped. The default ODF 1.0/1.1/1.2 encryption uses 8-bit CFB, not CBC, with Blowfish as the block cipher. There needs to be more information. I also need to look through my comp.risks backlog to see what more information there may be since the conference. The suggestion that XML encryption should be scrapped is a bit over-the-top. It will be interesting to see what the W3C folks come up with. It isn't really about XML but particular encryption procedures using block ciphers. The vulnerabilities apply regardless of whether they are permitted in XML Encryption or not. - Dennis -----Original Message----- From: office@lists.oasis-open.org [mailto:office@lists.oasis-open.org] On Behalf Of robert_weir@us.ibm.com Sent: Monday, October 24, 2011 08:48 To: office@lists.oasis-open.org Subject: [office] "XML vulnerability leads to calls for standards change" Any else see this? Is it legit? http://www.zdnetasia.com/xml-vulnerability-leads-to-calls-for-standards-change-62302612.htm -Rob
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]