[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Defective sign & encrypt vis-a-vis SAML?
I'm sure many of you have heard about Don Davis' moderately controversial paper on defective sign & encrypt in S/MIME, XML Signature, and other standards (see http://www.usenix.org/publications/library/proceedings/usenix01/davis.html for the paper). It's not that the crypto algorithms are broken, it's that they're being used in broken ways that allow surreptitious forwarding, among other things. Has anyone given any thought to the way SAML specifies signing & encrypting of assertions and other stuff? This has been discussed briefly on the XML Encryption list... Or is it too soon to think about such a thing? --Jeremy ----------------------------------------------------------- Jeremy Epstein voice: 703-460-5852 Director, Product Security & Performance FAX: 703-460-5999 webMethods, Inc. cell: 703-989-8907 Fairfax Virginia email: jepstein@webMethods.com -----------------------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC