[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] RE: <DocumentURI>
I pretty much agree with everything Trevor wrote, except that I want to emphasize this: > There's a security concern, if the client asks the server to sign > something the server has access to, but the client doesn't. It is a HUGE security issue. Suppose, for example, the DSS is running on a Unix box and I send it a request for an enveloping signature of "file:///home/root/passwords" or some such? Suppose I say "here's the URL I want you to sign", but the URL is one of those phony "click here to get off our mailing list" spam things? etc. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]