ISSUE-84: What should the best practices say about defenses against collision generation?

What should the best practices say about defenses against collision generation?

State:
CLOSED
Product:
Raised by:
Bradley Hill
Opened on:
2009-01-13
Description:
Proposal: withComments shouldn't be used to canonicalize the SignedInfo
Related Actions Items:
No related actions
Related emails:
  1. Draft minutes: xmlsec face-to-face 14 January 2009 (from tlr@w3.org on 2009-01-22)
  2. Draft Minutes: xmlsec face-to-face 13 January 2009 (from tlr@w3.org on 2009-01-22)

Related notes:

allowing C14N withComments for the SignedInfo may significantly increase the ability to generate XML signatures with colliding hashes. (as comments allow large amounts of arbitrary data to be inserted into signatures while still leaving them well-formed)

Not sure if this is relevant as XML signatures are inherently indirect, and the same risks may unavoidably apply for reference digests and be better addressed by other means, such as randomized hashing.

Bradley Hill, 13 Jan 2009, 19:54:19

not relevant - impossible to avoid this threat with indirected signatures

Bradley Hill, 27 Jan 2009, 21:22:53

Display change log ATOM feed

Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 84.html,v 1.1 2017/01/10 16:24:55 carine Exp $