W3C home > Mailing lists > Public > www-xkms@w3.org > October 2004

Re: Order of sign and encrypt

From: Jose Kahan <jose.kahan@w3.org>
Date: Wed, 13 Oct 2004 17:52:27 +0200
To: tommy lindberg <lindberg_tommy@hotmail.com>
Cc: www-xkms@w3.org
Message-ID: <20041013155227.GC6298@inrialpes.fr>

Hi Tommy,

This is a confirmation message for closing the decision cycle.

The comments you reported[1] was assigned issue 321-tl.

A new paragraph was added to the specification to remove the
ambiguity:

<quote>
[372a]Implementations supporting encryption of Private Key Data MUST
support Shared Secret. Use of Shared Secret is detailed in section 8.1.
</quote>

Please reply to this message if you have any objections as to the
way the changes were incorporated.

[1] http://lists.w3.org/Archives/Public/www-xkms/2004Jul/0035.html
[2] http://www.w3.org/2001/XKMS/Drafts/cr-issues/issues.html#321-tl

-jose
`
On Fri, Jul 09, 2004 at 09:33:50AM +0000, tommy lindberg wrote:
> 
> 
> RegisterResult and RecoverResult may both contain signatures over encrypted
> data, however the order of these operations is not explicitly stated in the 
> spec.
> 
> Given the PrivateKey schema fragment, I'm inclined to draw the conclusion 
> that
> only encrypt-then-sign is required.  Is this the intention and if so does 
> this warrant
> a clarifying statement to that effect?
> 
> Speculation:
> 
> I believe the (un-encrypted) RSAKeyPair is deliberatly omitted from 
> PrivateKey so
> as to *allow* implementations to mitigate the risk of disclosure of 
> sensitive stuff
> through, say, the use of special purpose cryptographic hardware that, apart 
> from their
> primary purpose, also can be programmed to extract the private key 
> components from the
> surface syntax of an RSAKeyPair element.  I imagine that this design 
> *could* stand in the way
> of supporting sign-then-encrypt in XKMS  - assuming that 
> generating/verifying an enveloped
> signature is performed over a schema valid document, which is the only way 
> I have explored.
> 
> 
> Regards
> Tommy
> 
> [1] http://www.w3.org/TR/2002/REC-xmlenc-decrypt-20021210
> 
> _________________________________________________________________
> Tired of spam? Get advanced junk mail protection with MSN 8. 
> http://join.msn.com/?page=features/junkmail
> 
Received on Wednesday, 13 October 2004 15:52:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:23 GMT