W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2002

Re: Comments on "XML Canonicalization"

From: Bilal Siddiqui <xml4java@yahoo.co.uk>
Date: Mon, 2 Dec 2002 10:32:14 -0500
To: w3c-ietf-xmldsig@w3.org
Message-Id: <200212021032.15225.xml4java@yahoo.co.uk>

Hi Joseph,

Thanks for your comments. They are much appreciated.

I had edited the published version of the article within a few days of
receipt of your comments. However I didn't notify you and the XML Signature
list of the edits in the article. That was a mistake. Please excuse me for
the same.

The problematic paragraph has been changed from:

When a user wants to sign an XML document, there is a two step procedure.
First, the user digests the XML file to be signed and produces a digest
value. Secondly, the user signs both the XML message and the digest with
 the user's private key.

to read as follows:

When a user wants to sign an XML document, there is a two step procedure.
First, the user digests the XML file to be signed and produces a digest
value. Secondly, the user signs a reference to the XML message and the
digest with the user's private key.

The change is in the third sentence where the words "both the" have been
replaced with the words "a reference to".

The article can be viewed at:
http://www.xml.com/pub/a/2002/09/18/c14n.html

I hope it serves.

Bet regards,
Bilal


----- Original Message -----
From: "Joseph Reagle" <reagle@w3.org>
To: <wap_monster@yahoo.com>
Cc: "XML Signature" <w3c-ietf-xmldsig@w3.org>
Sent: Friday, September 27, 2002 6:13 AM
Subject: Comments on "XML Canonicalization"

> Hi Bilal,
>
> In [1] you state, "When a user wants to sign an XML document, there is a

two

> step procedure. First, the user digests the XML file to be signed and
> produces a digest value. Secondly, the user signs both the XML message
> and the digest with the user's private key."
>
> Actually, the user creates a manifest (i.e., SignedInfo) of references to
> the objects being secured and their digest values. This manifest itself
> is then digested and cryptographically signed. The first digest captures
> the "fingerprint" of the files being secured. The second digest is over
> the first set (and retains their import) but also includes security

information

> (such as the signature algorithm). This value is then bound to a private
> key via a cryptographic signature algorithm.
>
> The two important points here are that:
> 1. The two step: digesting the digest values is an easy way to

collectively

> process a collection of resources.
> 2. A cryptographic signature is a computionally expensive procedure that
> binds some data with a private key. Applying this procedure to the data
> would be expensive and unnecessary. For the purposes of signature, I can
> "sign" the data's digest value just as well.
>
> [1] http://www.xml.com/pub/a/2002/09/18/c14n.html
>
>
> --
> *Note: I will be traveling and attending meetings Oct 2/3 in California;

and

> Oct 5-15 in Australia. I will not be very responsive during this period;
> I will fully respond to any email as soon as possible after my return.
>
> Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
> W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
Received on Monday, 2 December 2002 10:32:16 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT