[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Defective sign & encrypt vis-a-vis SAML?
This paper is restricted to USENIX members. Does anybody know where there is a public copy? (We are probably members, but I am sure it will be a pain to track down whoever knows the password.) Hal > -----Original Message----- > From: Jeremy Epstein [mailto:jepstein@webmethods.com] > Sent: Thursday, July 12, 2001 5:05 PM > To: OASIS SSTC List. > Subject: Defective sign & encrypt vis-a-vis SAML? > > > I'm sure many of you have heard about Don Davis' moderately > controversial > paper on defective sign & encrypt in S/MIME, XML Signature, and other > standards (see > http://www.usenix.org/publications/library/proceedings/usenix0 1/davis.html for the paper). It's not that the crypto algorithms are broken, it's that they're being used in broken ways that allow surreptitious forwarding, among other things. Has anyone given any thought to the way SAML specifies signing & encrypting of assertions and other stuff? This has been discussed briefly on the XML Encryption list... Or is it too soon to think about such a thing? --Jeremy ----------------------------------------------------------- Jeremy Epstein voice: 703-460-5852 Director, Product Security & Performance FAX: 703-460-5999 webMethods, Inc. cell: 703-989-8907 Fairfax Virginia email: jepstein@webMethods.com -----------------------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC