OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issue 98: Encryption Key Substitution

At around line 1523 (security considerations) insert:

When a requester provides, within the request, a Public Key to be used to
encrypt the response, it is possible that an attacker in the middle may
substitute a different Public Key, thus allowing the attacker to read the
response. The best way to prevent this attack is to bind the encryption key
in some way to the request. One simple way of doing this is to use the same
key pair to sign the request as to encrypt the response. However, if policy
requires the use of distinct key pairs for signing and encryption, then the
Public Key provided in the request should be included under the signature of
the request.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]