On Tue, Oct 20, 2020 at 07:58:06PM -0700, Roman Danyliw via Datatracker wrote: > ** Section 5. Per “On the other hand, an oracle can potentially be built > based > on detecting the network resources which is only done if the signature > validation passes.”, I didn’t follow what this means.
The scenario is an attacker sending probably-bogus signatures to the node that behaves in this way. The (lack of) outbound network requests is an oracle as to whether the signature is valid. This is generally not useful in its own right, but is a fairly common building block to assemble with other weaknesses into a consolidated attack, which is why I assumed it was mentioned. -Ben _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
