Hello Roman, Thank you for the review and apologies for the late reply. With commit 9b95515 <https://github.com/cose-wg/X509/commit/9b95515f9a4652445259578201e0edec3f3d1bf1> I believe I have addressed your discuss and comments. Please let me know if any further changes are needed. I plan to address the comments of a few other people here shortly and publish a new version.
Best regards, Ivaylo -- Ivaylo Petrov CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). It is strictly forbidden to share any part of this message with any third party, without the written consent of the sender. If you have received this message by mistake, please notify the sender immediately by email and delete the message and any file attached to it. Thank you! On Thu, Oct 22, 2020 at 5:27 PM Benjamin Kaduk <[email protected]> wrote: > On Tue, Oct 20, 2020 at 07:58:06PM -0700, Roman Danyliw via Datatracker > wrote: > > ** Section 5. Per “On the other hand, an oracle can potentially be > built based > > on detecting the network resources which is only done if the signature > > validation passes.”, I didn’t follow what this means. > > The scenario is an attacker sending probably-bogus signatures to the node > that behaves in this way. The (lack of) outbound network requests is an > oracle as to whether the signature is valid. This is generally not useful > in its own right, but is a fairly common building block to assemble with > other weaknesses into a consolidated attack, which is why I assumed it was > mentioned. > > -Ben >
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
