RE: Manually Signed Digest as an XML signature type

Joseph and Tom:

Sorry, but I strongly believe that this manually signed digest signature
type is a huge mistake for this working group to even consider. The
focus of the working group and its charter from inception has been
digital signature in the cryptographic context. Adding this
"interpretation" of signature opens to door to all kinds of random
definitions and it seriously dilutes the work we've done so far.  

--Barbara Fox

-----Original Message-----
From: Joseph M. Reagle Jr. [mailto:reagle@w3.org]
Sent: Monday, June 05, 2000 1:55 PM
To: tgindin@us.ibm.com
Cc: w3c-ietf-xmldsig@w3.org
Subject: Re: Manually Signed Digest as an XML signature type


At 07:31 PM 5/31/00 -0400, tgindin@us.ibm.com wrote:
 >     Is there any point in the current draft which would need to be
changed
 >to make allowances for someone to define a  "manually verifiable"
signature
 >technique in this connection? 

I hope not. The intent of the design is to permit externally defined
signature techniques and not become a repository for all signature
profiles. 

 >1    A new value for SignatureMethod "manuallySignedDigest".  This
value
 >for SignatureMethod implies that the SignatureValue itself consists of
the
 >base 64 encoding of the message digest and is not signed.  This
method's
 >main parameter is a reference to a SignatureProperty containing the
manual
 >signature.  It might also accept a parameter giving the data type of
the
 >manual signature.
 >
 >2    The manual signature itself, in a SignatureProperty.  This manual
 >signature should contain a voice recording, transcribed signature, or
the
 >like which is performed by the user (signed with handwriting or
spoken) and
 >in which the user him/herself records the message digest.
 
If I was designing this application, my initial though would've been to
place this data in KeyInfo:

"KeyInfo is an optional element that enables the recipient(s) to obtain
the
key(s) needed to validate the signature."

"Additional information items concerning the generation of the
signature(s)
can be placed in a SignatureProperty element."

My own distinction between these two things is that KeyInfo is the
information necessary to procedurally generate/confirm the
SignatureValue
octets and any of its metadata (like a signed cert); SignatureProperties
is
other data relevant to application/trust decisions about the
assuredness/trustworthiness of that SignatureValue. If others agree, we
could try to make this clearer...



_________________________________________________________
Joseph Reagle Jr.   
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Monday, 5 June 2000 18:08:29 UTC