W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2002

RE: Help!!

From: Spielman, Terence <TSpielma@inovant.com>
Date: Wed, 12 Jun 2002 06:40:10 -0700
Message-Id: <A38C0F5A6E195C48AC2C93BEC33EF83D54FCAA@sw745x043.visa.com>
To: "'Jeong Ahn Lee'" <jeongahn2001@yahoo.com>, w3c-ietf-xmldsig@w3.org

Your question is a classic one that is specific to
public key technology and not specifically xml dsig.

You are correct that a man-in-the-middle can replace
our document and sign it themselves.  The signature is
valuable, but is useless unless you can identify the
signer.  For this reason public keys are typically
bound to principals (people, organizations, systems)
with credentials, the most typical being X.509 certificates.

Yet even these must ultimately rely on some final
acceptance of liability for identification.  X509
certificates are typically chained until they reach
a root-level certificate authority which you must
recognize and trust.

The X509 certificate model is hierarchical (tree-based)
and so trust resolution propagates upwards until
you reach a common root.

Another trust model uses a web-based traversal in which
a certificate is associated with multiple other certificates
(securely).  These links are traversed until you reach
some certificate you trust.  This model is loosely what
PGP uses.

Hope this helps!
Terence Spielman

> -----Original Message-----
> From: Jeong Ahn Lee [mailto:jeongahn2001@yahoo.com]
> Sent: Wednesday, June 12, 2002 4:29 AM
> To: w3c-ietf-xmldsig@w3.org
> Subject: Help!!
> 
> 
> 
> Hi All, 
> 
> i have a silly question
> 
> you receive (via HTTP ) a document that contains that
> PublicKey (signed by the corresponding PrivateKey by
> me) then, How can you be able to infer that I signed
> the document and no body else modified the document in
> between and they signed it.
> 
> thanks and regards
> Jeong Ahn
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
> 
Received on Wednesday, 12 June 2002 09:40:17 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT