- From: John Cowan <[email protected]>
- Date: Fri, 7 Jul 2000 22:29:30 -0400 (EDT)
- To: [email protected]
- cc: "Joseph M. Reagle Jr." <[email protected]>, "Martin J. Duerst" <[email protected]>, [email protected], John Boyer <[email protected]>
On Fri, 7 Jul 2000 [email protected] wrote: > In short, normalizing prior to digesting AVOIDS allowing > inconsequential changes to change the digest. If I have misunderstood the > point of the section cited, I'm sure someone will correct me. Your scenario is correct as far as it goes. But consider a signed document that contains an element or attribute named "autorisation_de_d?couvert" ("credit limit"). A forged version of the document that contained the name "autorization_de_de'couvert" (where ' = COMBINING ACUTE) would pass a normalization + signature check. However, the document processor might well fail to recognize it as having the semantics of "credit limit" and treat it as unknown and to be ignored. Bad news: the forger now appears to have unlimited credit! -- John Cowan [email protected] C'est la` pourtant que se livre le sens du dire, de ce que, s'y conjuguant le nyania qui bruit des sexes en compagnie, il supplee a ce qu'entre eux, de rapport nyait pas. -- Jacques Lacan, "L'Etourdit"
Received on Friday, 7 July 2000 21:52:48 UTC