OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [wss] Recently discover WSS security threat


Title: RE: [wss] Recently discover WSS security threat

> -----Original Message-----
> From: Michael McIntosh [mailto:mikemci@us.ibm.com]
> Sent: Monday, June 06, 2005 9:00 PM
> To: Duane Nickull
> Cc: Hal Lockhart; Rich Salz; DeMartini, Thomas;
> wss@lists.oasis-open.org
> Subject: Re: [wss] Recently discover WSS security threat
>
>
> Duane Nickull <dnickull@adobe.com> wrote on 06/06/2005 07:08:44 PM:
>
> > I am a bit confused by this  thread.
>
> I think we all are ;-)
>
---- Agree.

> > If an application encounters
> > ...
> > <my:header>
> >    <my:integer>33</my:integer>
> > </my:header>
> >
> > all it can see is 33 as the node content, not 32. That is
> > representative
>
> > of the current state of the fragment.
>
> Part of signature verification involves applying a set of
> transform algorithms. Typically these are used for
> canonicalization or, in the case
> of
> XPath, for selection of a subset of the fragment. Thomas is
> pointing out
> in
> his example that a tranform can do more than canonicalize or
> select, but
> can
> alter the value.
>
> > To me the conversation is moot. I cannot sing something I
> cannot see
> > nor
>
> > should I.  Did I miss something?

-- I do not think so either.

>
> You didn't miss anything. I think Thomas's example
> unfortunately obscures
> his
> real intent. I think he wants to use the XPath expression to
> filter the
> set of
> information that is passed to the application after signature
> processing.

To clarify the real intent, can we have a proposal on the table?

Abbie



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]