- From: David Wall <dwall@Yozons.com>
- Date: Mon, 29 Jul 2002 11:54:15 -0700
- To: "Christian Geuer-Pollmann" <geuer-pollmann@nue.et-inf.uni-siegen.de>, <w3c-ietf-xmldsig@w3.org>
> Signing "real data", i.e. signing the message directly is not such a good idea as it opens the algorithm to some attacks, especially if you use plain RSA (which would be a very bad idea). True, but a lot of typical signing includes a hash (RSA/DSA with SHA1), but the SHA1 works against the actual data being signed (in both digital signature and legal sense). In XML Signature, there's a two step process of doing an SHA1 on the actual data, and then digital signing (hash the hash and encrypt with the private key), so the digital signature is "signing" a hash, not the original data. Anyway, I believe it's sound technically, just wondered if there's anything "odd" from a legal standpoint since the signature is once removed from the data being signed. David
Received on Monday, 29 July 2002 14:54:02 UTC