W3C home > Mailing lists > Public > xml-encryption@w3.org > July 2001

RE: Decryption Transform

From: Scherling, Mark <mscherling@rsasecurity.com>
Date: Tue, 3 Jul 2001 14:43:59 -0700
Message-ID: <016D1D1E0314D5118A7F00508BD9525272DD12@exvan01.x509.com>
To: "'Joe Meadows'" <joe.meadows@boeing.com>, "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: John Cowan <cowan@mercury.ccil.org>, John Cowan <jcowan@reutershealth.com>, imamu@jp.ibm.com, maruyama@jp.ibm.com, xml-encryption@w3.org
I would agree with Joe and John that you should never sign an encrypted
document.  It's like signing a blank check.  

Having said that, I could see an application signing an encrypted document
similar to a notary function. This notary function would stamp the document
to the effect that the document was issued (passed through) by the
application at this time and this date.  

Other than that I don't see any value in signing encrypted documents.  It
does not prove anything except time and date.  It does not validate content,
nor the signer, nor does it provide integrity.


-----Original Message-----
From: Joe Meadows [mailto:joe.meadows@boeing.com]
Sent: Tuesday, July 03, 2001 2:36 PM
To: Joseph M. Reagle Jr.
Cc: John Cowan; John Cowan; imamu@jp.ibm.com; maruyama@jp.ibm.com;
Subject: Re: Decryption Transform

At 22:17 7/2/2001, John Cowan wrote:
>I am arguing that the whole verify-decrypt-verify scenario is bad practice:
>it comes about only if people sign encrypted material, *which they should
>never do*.  We may need it nonetheless to compensate for pre-existing
>bad practice.

I'd also disagree with this. I can imagine encrypting a document, sending it
to a second party, having them sign the encrypted document, and pass it on
a third party. Seems like there were some sensible non-repudiation schemes
on this sort of logic in the past (the intermediate party doesn't know what
but given appropriate plain text or keys, can verify later if a contract
comes up). I realize I'm being light on details - blame it on really sunny
in the pacific northwest [it's oh so unusual!]..

Received on Thursday, 5 July 2001 09:39:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:00 UTC