Bogus digital signatures, Re: OT: utility account transfer frauds

[Pete Chown]

Peter Gutmann wrote:

 > ... the fact that the data can be affected (often drastically) by
> external forces such as style sheets, schemas, and DTDs, XML namespace
> declarations and namespace attributes, and about a million other things ...

CSS could be a particular problem here.  With XSL, everyone understands 
that the content is modified.  However, with software that implements 
CSS properly, you can actually do quite a lot of mangling of the 
content.  Suppose the base document was signed, but included a reference 
to an external CSS stylesheet.  You may well be able to write a new 
stylesheet which makes all the changes you want, the document still 
appearing to be signed.

I'm not sure how a fake schema or DTD would help an attacker, though. 
Surely all you could do is make the document appear to be invalid when 
this is not the case?

-- 
Pete