Re: Combining signing and encrypting from hal@finney.org on 2000-11-29 (xml-encryption@w3.org from November 2000)

From: <hal@finney.org>
Date: Tue, 28 Nov 2000 18:51:13 -0800
To: hal@finney.org, MARUYAMA@jp.ibm.com
Cc: xml-encryption@w3.org
Message-Id: <200011290251.SAA25904@finney.org>

Hiroshi Maruyama, <MARUYAMA@jp.ibm.com>, writes:

> This is a valid discussion and application should be careful
> about this.  However, if we require all signature over data
> to be encrypted are also encrypted, we cannot handle certain
> cases of detached signature.  For example, when signature S and
> document X are stored separately, and later if someone wants
> to encrypt X without having access to S, the above rule cannot
> be realized.

That's true, this is a problem case.  I note that the proposals to
modify the signature block would also fail in this case.  Perhaps some
advisory notation in the encryption block would be possible, at least if
the encryption processor knew there were a relevant signature floating
around somewhere.

I maintain that it is very unwise cryptographically to encrypt a message
and leave its signature block exposed.  So if at all possible this
condition should be avoided.

> Another case would be that two different parties want to
> encrypt different parts of the same (set of) signed document
> independently. This situation would most likely arise
> when a signature has multiple <Reference> elements pointing
> to multiple XML documents (e.g., a signature on a purchase
> order may have a "Customer" document and a "Payment" document
> separately, each of which may have different policies on
> privacy).

The signature should not be verified until both encryptions are decrypted
in this case, correct?  It seems necessary for security to encrypt the
signature block when the first encryption is applied, whichever one it is.

The problem then arises if we apply the second encryption, and then
decrypt the first one.  The plaintext signature block will reappear,
but it will fail to verify due to the presence of the second encryption.
There will be no visible indication that the second encryption must be
decrypted in order to verify the signature.

I will have to give this some thought and see if I can propose a safe
way to handle it.

Hal Finney
PGP Security

Received on Tuesday, 28 November 2000 21:49:43 UTC