• From: John Cowan <cowan@locke.ccil.org>
• Date: Fri, 7 Jul 2000 22:29:30 -0400 (EDT)
• To:tgindin@us.ibm.com
• cc: "Joseph M. Reagle Jr." <reagle@w3.org>, "Martin J. Duerst" <duerst@w3.org>,w3c-ietf-xmldsig@w3.org, John Boyer <jboyer@PureEdge.com>
• Message-ID: <Pine.BSI.3.95.1000707222103.10658B-100000@locke.ccil.org>

On Fri, 7 Jul 2000tgindin@us.ibm.com wrote:>      In short, normalizing prior to digesting AVOIDS allowing> inconsequential changes to change the digest.  If I have misunderstood the> point of the section cited, I'm sure someone will correct me.Your scenario is correct as far as it goes.  But consider a signeddocument that contains an element or attribute named"autorisation_de_découvert" ("credit limit").A forged version of the document that contained the name"autorization_de_de'couvert" (where ' = COMBINING ACUTE) would passa normalization + signature check.  However, the document processormight well fail to recognize it as having the semantics of "credit limit"and treat it as unknown and to be ignored.  Bad news: the forgernow appears to have unlimited credit!-- John Cowancowan@ccil.orgC'est la` pourtant que se livre le sens du dire, de ce que, s'y conjuguantle nyania qui bruit des sexes en compagnie, il supplee a ce qu'entre eux,de rapport nyait pas.               -- Jacques Lacan, "L'Etourdit"

Received on Friday, 7 July 2000 21:52:48 UTC