- From: Stephen Farrell <stephen.farrell@baltimore.ie>
- Date: Mon, 28 Aug 2000 22:08:10 +0100
- To: Ed Simon <ed.simon@entrust.com>
- CC: "'Don Davis'" <dtd@world.std.com>, xml-encryption@w3.org, don@MIT.EDU, "Ralph R. Swick" <swick@w3.org>, reagle@w3.org, xme <stephen.farrell@baltimore.ie>
Ed, Not enough detail to say, (you didn't show where the signature bits are), but assuming they're outside the EMail then... <Signature> ... <EMail> <To>Captain Kirk</To> <From>Starfleet Command (Dublin)</From> <StarDate>2435CE January 19 11:22:33.44 UCT</StarDate> <Subject>Romulan invasion fleet</Subject> <Message><Encryption>MIIxyz...</Encryption></Message> </EMail> ... </Signature> Still says whatever it says, even if the Dublin starfleet folks have no idea what it says. This is independent of XML (and any other representation) - basically you can steal ciphertext if the signature's on the outside. One way 'round this is to include the keyInfo inside the plaintext and for the recipient to know to compare that to the keyInfo actually used to verify the signature. If they match then the encryptor and signer are the same, otherwise not. One potential XML advantage would be if the signature bits and keyInfo could be inside the Encryption...maybe someone can figure that transform! Stephen. -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 647 7406 61 Fitzwilliam Lane, fax: +353 1 647 7499 Dublin 2. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com
Received on Monday, 28 August 2000 17:06:50 UTC