> Signing "real data", i.e. signing the message directly is not such a good idea as it opens the algorithm to some attacks, especially if you use plain RSA (which would be a very bad idea). True, but a lot of typical signing includes a hash (RSA/DSA with SHA1), but the SHA1 works against the actual data being signed (in both digital signature and legal sense). In XML Signature, there's a two step process of doing an SHA1 on the actual data, and then digital signing (hash the hash and encrypt with the private key), so the digital signature is "signing" a hash, not the original data. Anyway, I believe it's sound technically, just wondered if there's anything "odd" from a legal standpoint since the signature is once removed from the data being signed. DavidReceived on Monday, 29 July 2002 14:54:02 GMT
This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT