Re: XML signature HMAC truncation authentication bypass

2009-07-28 Thread Jon Callas
On Jul 26, 2009, at 10:31 PM, Peter Gutmann wrote: Jon Callas j...@callas.org writes: You are of course correct, Peter, but are you saying that we shouldn't do anything? Well, I think it's necessary to consider the tradeoffs, if you don't know the other side's capabilities then it's a

Re: The latest Flash vulnerability and monoculture

2009-07-28 Thread dan
It would also help quite a bit if we had better encapsulation technology. Binary plug-ins for browsers are generally a bad idea -- having things like video players in separate processes where operating system facilities can be used to cage them more effectively would also help to mitigate

Re: XML signature HMAC truncation authentication bypass

2009-07-28 Thread Peter Gutmann
Jon Callas j...@callas.org writes: Okay, password-protected files would get it, too. I won't ask why you're sending password protected files to an agent. They're not technically password-protected files but pre-shared key (PSK) protected files, where the keys have a high level of entropy