W3C home > Mailing lists > Public > w3c-xml-sig-ws@w3.org > April 1999

Re: Fw: XML versus ASN.1/DER blob

From: Paul Lambert <plambert@certicom.com>
Date: Wed, 21 Apr 1999 11:57:58 -0700
To: Alan Kotok <kotok@w3.org>
cc: "John Boyer" <jboyer@uwi.com>, "Dsig group" <w3c-xml-sig-ws@w3.org>
Message-ID: <8825675A.0066A8FC.00@domino2.certicom.com>

>What "encryption" binds the identifying information unique to the
>signer and the description of what is being signed?

Biometrics provide nothing more that a unique identifier.  It is an
identifier that is a little more difficult to duplicate that a name or
serial number.  Biometrics are forgeable  Biometrics are relatively easy to
duplicate since they are just a string of bits.  Any strength in the
authentication must be based on the hardware component that is used to read
the biometric data.  Either a public key technique or a keyed hash is
required then to authenticate the biometric input device.  Cryptographic
techniques are also required to prevent the modification of biometric data
in transit for remote authentication applications.

Biometrics may be an interesting attribute to associate with a key.  As an
attribute of a key they could be used as part of an authentication or
identification process.

>There seems to be general agreement that whatever we develop should be
able
>to accommodate multiple signature technologies.

No!  I do agree that we should support a few different public key
algorithms.  I do agree that we may want to support encryption, key
exchanges, or keyed hashes.  A keyed hash has it's own properties and
should not be described as a digital signature.

Paul






Alan Kotok <kotok@w3.org> on 04/21/99 11:42:20 AM

To:   "John Boyer" <jboyer@uwi.com>
cc:   "Dsig group" <w3c-xml-sig-ws@w3.org> (bcc: Paul Lambert/Certicom)
Subject:  Re: Fw: XML versus ASN.1/DER blob




At 01:24 PM 4/21/99 , John Boyer wrote:
>...
>The pen people's biometric tokens are encrypted blobs containing biometric
>measures of the act of signing as well as a sha-1 or md5 hash of the
>document being signed.  The biometrics identify the signer, the act of
>signing implies authorization (same as paper), the hash authenticates the
>document content, and the encryption binds the two together.  The pen
people
>claim that this signing technology offers an electronic solution that is
at
>least as secure or substantially more secure than the paper signatures
that
>we currently accept.

There seems to be general agreement that whatever we develop should be able
to accomodate multiple signature technologies.  There also seems to be
agreement that it is not the work of this group to judge the strength or
merit of any particular technology.

But it does seem necessary to understand the requirements posed by known
signature technologies on the specifications we develop.  Therefore, I
would assume we need to understand how signing using biometrics relates to
the process we are more familiar with: that of encrypting the hash of a
signature block using the private key of a public keypair.

Maybe I'm a bit dense, but I can't figure out the explanation provided
above.  What "encryption" binds the identifying information unique to the
signer and the description of what is being signed?  Could you take us
through that operation in more detail?

Thanks.

Alan
___________________________________________________________________________
Alan Kotok, Associate Chairman                          mailto:kotok@w3.org
World Wide Web Consortium                                 http://www.w3.org
MIT Laboratory for Computer Science,  545 Technology Square,  Room NE43-409
Cambridge, MA 02139, USA     Voice: +1-617-258-5728    Fax: +1-617-258-5999
Received on Wednesday, 21 April 1999 15:06:21 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 11:28:04 EDT