This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
( Raised by Travis Mayberry at http://lists.w3.org/Archives/Public/public-webcrypto-comments/2012Sep/0016.html ) The 13 September 2012 draft ( http://www.w3.org/TR/2012/WD-WebCryptoAPI-20120913/ ) includes support for PKCS#1 v1.5 modes of encryption and signing (RSAES and RSASSA). These modes are frequently subject to implementation errors that permit padding oracle attacks. Travis suggests: "I would suggest then that a note be put in emphasizing it should be used carefully and that OAEP is the better choice if you are not forced to use PKCS#1. My main concern is that a developer, upon deciding to use this API but not being familiar with the issues we are discussing, will simply pick one of the two at random and potentially open himself up to an attack that could have easily been avoided. "
I believe this is a subset / dup of 25607. Resolve dup ?
*** This bug has been marked as a duplicate of bug 25607 ***