- From: Spielman, Terence <TSpielma@inovant.com>
- Date: Wed, 12 Jun 2002 06:40:10 -0700
- To: "'Jeong Ahn Lee'" <jeongahn2001@yahoo.com>, w3c-ietf-xmldsig@w3.org
Your question is a classic one that is specific to public key technology and not specifically xml dsig. You are correct that a man-in-the-middle can replace our document and sign it themselves. The signature is valuable, but is useless unless you can identify the signer. For this reason public keys are typically bound to principals (people, organizations, systems) with credentials, the most typical being X.509 certificates. Yet even these must ultimately rely on some final acceptance of liability for identification. X509 certificates are typically chained until they reach a root-level certificate authority which you must recognize and trust. The X509 certificate model is hierarchical (tree-based) and so trust resolution propagates upwards until you reach a common root. Another trust model uses a web-based traversal in which a certificate is associated with multiple other certificates (securely). These links are traversed until you reach some certificate you trust. This model is loosely what PGP uses. Hope this helps! Terence Spielman > -----Original Message----- > From: Jeong Ahn Lee [mailto:jeongahn2001@yahoo.com] > Sent: Wednesday, June 12, 2002 4:29 AM > To: w3c-ietf-xmldsig@w3.org > Subject: Help!! > > > > Hi All, > > i have a silly question > > you receive (via HTTP ) a document that contains that > PublicKey (signed by the corresponding PrivateKey by > me) then, How can you be able to infer that I signed > the document and no body else modified the document in > between and they signed it. > > thanks and regards > Jeong Ahn > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com >
Received on Wednesday, 12 June 2002 09:40:17 UTC