Re: draft-ietf-xmldsig-core-04 question from Donald E. Eastlake 3rd on 2000-02-21 (w3c-ietf-xmldsig@w3.org from January to March 2000)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Mon, 21 Feb 2000 09:42:35 -0500
To: "Carl Wallace" <cwallace@erols.com>
cc: "dsig" <w3c-ietf-xmldsig@w3.org>
Message-Id: <200002211442.JAA24447@torque.pothole.com>

Thanks for the references update.

On the "multiple distinct signatures" text, I guess it isn't very
clear.  The idea is that if one wants the protection of two different
algorithms, for example, so the signature would still be secure if one
is broken, then one could define a composite algorithm that produced
the two signatures concatenated.  This would probably need a composite
key which was the two keys, one for each algorithm, concatenated.

It is just as valid to view this composite algorithm/key as a new
single algorithm and single key format.  Perhaps it would be better to
handle this with a note somewhere pointing this out...

Thanks,
Donald

From:  "Carl Wallace" <cwallace@erols.com>
Resent-Date:  Mon, 21 Feb 2000 08:36:23 -0500 (EST)
Resent-Message-Id:  <200002211336.IAA03114@www19.w3.org>
Message-ID:  <005f01bf7c70$9c7507c0$477c60cf@jazzhive.erols.com>
To:  "dsig" <w3c-ietf-xmldsig@w3.org>
Date:  Mon, 21 Feb 2000 08:36:07 -0500

>I don't understand the following statements from sections 4.2 and 4.4.  =
>Section 4.2 states:
>
>"The ability to define a SignatureMethod and SignatureValue pair which =
>includes multiple distinct signatures is explicitly permitted =
>(e.g."rsawithsha-1 and ecdsawithsha-1")."
>
>Since the schema and DTD indicate that there must be one SignatureMethod =
>and one SignatureValue how does this work?  Section 4.3.2 also mentions =
>"multiple, distinct signature values" but provides no clarification as =
>to how this is done using the defined structures. =20
>
>Section 4.4 states:
>
>"KeyInfo is an optional element which enables the recipient(s) to obtain =
>the key(s) needed to validate the signature. If omitted, the recipient =
>is expected to be able to identify the key based on application context =
>information. Multiple declarations within KeyInfo refer to the same =
>key."
>
>If multiple references must refer to the same key then "key(s)" should =
>be changed to "key".  This conflicts with the use of multiple signature =
>values.
>
>Also, there are a few references that need to be updated:
>
>    - sections 4.3.1, 4.3.2 and 4.3.3.2 refer to Section 5.1 where they =
>should refer to 6.1
>    - section 4.3.3.1 refers to Section 5-6 where it should refer to 6.6
>
>
>Carl Wallace  =20
>CygnaCom Solutions

Received on Monday, 21 February 2000 09:42:12 UTC