OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] New Issue: Key Identifiers Should Not Be Used for Signatures

>The problem is that the Relying Party has know way of knowing how many
>certificates the sender has. At a minumum I would say this makes the spec
>totally useless for non-repudiation purposes and even doubtful for ordinary

I think that this certificate substitution attack is no
different from the attack of submitting the initial request
with certificate B (same key) instead.

The recipient trusts certain CAs, presumably based upon
their security policies. If one of the CA/PKI systems asserts
that an identity/key binding is valid, the requestor proves
ownership of the key, and the identity is sufficient for the
recipient to authorize the request, then the request will
be processed. It is up to the recipient not to accept certs
issued by CAs that don't have adequate security policies.


The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The 
unauthorised use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for
direct, special, indirect or consequential damages arising from alteration
of the contents of this message by a third party or as a result of any 
virus being passed on.

This footnote confirms that this email message has been swept for Content
Security threats, including computer viruses.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]