[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] Recently discover WSS security threat
Hal Lockhart wrote: > In case it was not clear, I was not the person who discovered this problem and in fact until recently I was of the opinion that excessive signing was always harmless. > > I am not exactly sure who first noticed the threat. It is possible that more than one person saw it around the same time. I believe Mike MacIntosh was the first person to notice that signed data indicated by an Id attribute could be moved around without breaking the signature and that this could lead to attacks. Mike also explained this particular threat to me and the rest of the BSP WG on a call more than a month ago. I believe Ron Monzillo also noticed some time ago that threats could arise when more text was signed than necessary, but I cannot say whether he anticipated this specific attack. > > Hal > Hal, Thanks for the mention. Anyway, I did not lend any special insight to this ("brown paper") attack. As we discussed, I remain concerned about the complexities and inherent vulnerabilities of requiring message receivers to properly interpret security policy established via SOAP mustUnderstand syntax and semantics. Ron
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]