[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] Recently discover WSS security threat
Hal Lockhart wrote:
> In case it was not clear, I was not the person who discovered this problem and in fact until recently I was of the opinion that excessive signing was always harmless.
>
> I am not exactly sure who first noticed the threat. It is possible that more than one person saw it around the same time. I believe Mike MacIntosh was the first person to notice that signed data indicated by an Id attribute could be moved around without breaking the signature and that this could lead to attacks. Mike also explained this particular threat to me and the rest of the BSP WG on a call more than a month ago. I believe Ron Monzillo also noticed some time ago that threats could arise when more text was signed than necessary, but I cannot say whether he anticipated this specific attack.
>
> Hal
>
Hal,
Thanks for the mention.
Anyway, I did not lend any special
insight to this ("brown paper") attack.
As we discussed, I remain concerned
about the complexities and inherent vulnerabilities
of requiring message receivers to properly
interpret security policy established via
SOAP mustUnderstand syntax and semantics.
Ron
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]