Replay of CMS SignedData

Unless an application making use of SignedData includes a specifically
formatted field that includes replay prevention, any application protocol
using SignedData will be open to replay.

The CMS specification can reamin silent on this issue, or we can recommend
a simple patch.  Why not recommend that the signing time attribute always
be used?

When no authenticated atributes are included, this solution will not help.
In this case, the best we can do is a paragraph in the security
considerations section.

Thoughts?

Russ

<Prev in Thread]	Current Thread	[Next in Thread>
Replay of CMS SignedData, Russ Housley <= Re: Replay of CMS SignedData, EKR RE: Replay of CMS SignedData, Jim Schaad (Exchange) Re: Replay of CMS SignedData, Andrew Farrell Re: Replay of CMS SignedData, Bob Jueneman Re: Replay of CMS SignedData, EKR

Previous by Date:	CMS Countersignatures, Russ Housley
Next by Date:	Re: Replay of CMS SignedData, EKR
Previous by Thread:	CMS Countersignatures, Russ Housley
Next by Thread:	Re: Replay of CMS SignedData, EKR
Indexes:	[Date] [Thread] [Top] [All Lists]