OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Created: (SECURITY-14) Disallow Objectelement in signatures

Disallow Object element in signatures

                 Key: SECURITY-14
                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-14
             Project: OASIS Security Services (SAML) TC
          Issue Type: Improvement
          Components: Core
    Affects Versions: Version 2.0
            Reporter: Scott Cantor
            Priority: Minor
             Fix For: 2.0 incorporating Approved Errata

The XML Signature profile in SAML Core doesn't explicitly disallow the use of the <ds:Object> element in signatures, although it's discouraged by implication given the other restrictions imposed. Since the element is often used to carry out wrapping attacks, and its use was never profiled, we should discourage it explicitly.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]