Re: Manually Signed Digest as an XML signature type from tgindin@us.ibm.com on 2000-06-05 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: <tgindin@us.ibm.com>
Date: Mon, 5 Jun 2000 17:08:54 -0400
To: "Joseph M. Reagle Jr." <reagle@w3.org>
cc: w3c-ietf-xmldsig@w3.org
Message-ID: <852568F5.00742C4E.00@D51MTA04.pok.ibm.com>

     The reason I have the manual signature in a SignatureProperty, rather
than KeyInfo, is that SignatureProperty tends to be data associated both
with the signer and with the signed document or the circumstances of its
signing, while KeyInfo is typically data associated with the signer which
is in no way specific to the document.
     This signature technique does not have any cryptographic key at all,
even though it is a variation on XML signatures.  It also cannot be
verified fully by any automated technique.

          Tom Gindin

"Joseph M. Reagle Jr." <reagle@w3.org> on 06/05/2000 04:55:16 PM

To:   Tom Gindin/Watson/IBM@IBMUS
cc:   w3c-ietf-xmldsig@w3.org
Subject:  Re: Manually Signed Digest as an XML signature type

At 07:31 PM 5/31/00 -0400, tgindin@us.ibm.com wrote:
 >     Is there any point in the current draft which would need to be
changed
 >to make allowances for someone to define a  "manually verifiable"
signature
 >technique in this connection?

I hope not. The intent of the design is to permit externally defined
signature techniques and not become a repository for all signature
profiles.

 >1    A new value for SignatureMethod "manuallySignedDigest".  This value
 >for SignatureMethod implies that the SignatureValue itself consists of
the
 >base 64 encoding of the message digest and is not signed.  This method's
 >main parameter is a reference to a SignatureProperty containing the
manual
 >signature.  It might also accept a parameter giving the data type of the
 >manual signature.
 >
 >2    The manual signature itself, in a SignatureProperty.  This manual
 >signature should contain a voice recording, transcribed signature, or the
 >like which is performed by the user (signed with handwriting or spoken)
and
 >in which the user him/herself records the message digest.

If I was designing this application, my initial though would've been to
place this data in KeyInfo:

"KeyInfo is an optional element that enables the recipient(s) to obtain the
key(s) needed to validate the signature."

"Additional information items concerning the generation of the signature(s)
can be placed in a SignatureProperty element."

My own distinction between these two things is that KeyInfo is the
information necessary to procedurally generate/confirm the SignatureValue
octets and any of its metadata (like a signed cert); SignatureProperties is
other data relevant to application/trust decisions about the
assuredness/trustworthiness of that SignatureValue. If others agree, we
could try to make this clearer...

_________________________________________________________
Joseph Reagle Jr.
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Monday, 5 June 2000 17:09:09 UTC