OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] Updated: (SECURITY-14) Disallow Objectelement in signatures



     [ http://tools.oasis-open.org/issues/browse/SECURITY-14?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Cantor updated SECURITY-14:
---------------------------------

    Resolution: 
Resolved as proposed on TC call on Aug 9, 2011:
http://lists.oasis-open.org/archives/security-services/201108/msg00021.html

> Disallow Object element in signatures
> -------------------------------------
>
>                 Key: SECURITY-14
>                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-14
>             Project: OASIS Security Services (SAML) TC
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: Version 2.0
>            Reporter: Scott Cantor
>            Priority: Minor
>             Fix For: 2.0 incorporating Approved Errata
>
>
> The XML Signature profile in SAML Core doesn't explicitly disallow the use of the <ds:Object> element in signatures, although it's discouraged by implication given the other restrictions imposed. Since the element is often used to carry out wrapping attacks, and its use was never profiled, we should discourage it explicitly.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]