Hi Thomas, On Tue, Dec 16, 2008 at 10:43 AM, Thomas Roessler <[email protected]> wrote: > I suggest to remove the editorial note currently present in section 8 of the > Editor's Draft. >
Removed. > Instead, add the following to the Security Considerations section: > >> The signature scheme described in this document deals with the content >> present inside a compressed widget package. This implies that, in order to >> verify a widget signature, implementations need to uncompress a data stream >> that can come from an arbitrary source. A signature according to this >> specification does <em>not</em> limit the attack surface of decompression >> and unpacking code used during signature extraction and verification. > >> Care should be taken to avoid resource exhaustion attacks through >> maliciously crafted Widget archives during signature verification. > >> Implementations that store the content of widget archives to the file >> system during signature verification must not trust any path components of >> file names present in the archive, to avoid overwriting of arbitrary files >> during signature verification. > > (In other words, the zip archive isn't signed, and bad things might happen > if signature verification is implemented naively.) > Added! Thanks, Thomas. That's much better. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au
