W3C home > Mailing lists > Public > xml-encryption@w3.org > August 2000

Re: encryption in XML & in SMIME

From: Stephen Farrell <stephen.farrell@baltimore.ie>
Date: Mon, 28 Aug 2000 22:08:10 +0100
Message-ID: <39AAD4BA.FE4143AA@baltimore.ie>
To: Ed Simon <ed.simon@entrust.com>
CC: "'Don Davis'" <dtd@world.std.com>, xml-encryption@w3.org, don@MIT.EDU, "Ralph R. Swick" <swick@w3.org>, reagle@w3.org, xme <stephen.farrell@baltimore.ie>

Ed,

Not enough detail to say, (you didn't show where the signature
bits are), but assuming they're outside the EMail then...

<Signature>
...
<EMail>
<To>Captain Kirk</To>
<From>Starfleet Command (Dublin)</From>
<StarDate>2435CE January 19 11:22:33.44 UCT</StarDate>
<Subject>Romulan invasion fleet</Subject>
<Message><Encryption>MIIxyz...</Encryption></Message>
</EMail>
...
</Signature>

Still says whatever it says, even if the Dublin starfleet folks
have no idea what it says. This is independent of XML (and any
other representation) - basically you can steal ciphertext if
the signature's on the outside.

One way 'round this is to include the keyInfo inside the 
plaintext and for the recipient to know to compare that to
the keyInfo actually used to verify the signature. If they
match then the encryptor and signer are the same, otherwise
not.

One potential XML advantage would be if the signature bits
and keyInfo could be inside the Encryption...maybe someone
can figure that transform!

Stephen.


-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 647 7406
61 Fitzwilliam Lane,                    fax: +353 1 647 7499
Dublin 2.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com
Received on Monday, 28 August 2000 17:06:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:17 GMT