RE: XMLDSIG RSA signatures from Philip Hallam-Baker on 2000-08-29 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Philip Hallam-Baker <pbaker@verisign.com>
Date: Tue, 29 Aug 2000 09:19:41 -0700
To: "'Barb Fox'" <bfox@Exchange.Microsoft.com>, Gregor Karlinger <gregor.karlinger@iaik.at>, merlin <merlin@baltimore.ie>, w3c-ietf-xmldsig@w3.org
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F408EBF1@vhqpostal.verisign.com>

Actually there is an advantage, consider that there is more than one
PKCS#1 version. The OID describes the specific packing format.
 
The verifier MUST understand the OID in order to correctly verify the
signature in any case - the OID is embedded in the packing format to
prevent a digest substitution attack. The OID in the message MAY occur
in different octet positions depending on the packing format. It is
useful to know in advance where the inner OID is positioned in order to
correctly validate the signature.
 
        Phill

-----Original Message-----
From: Barb Fox [mailto:bfox@Exchange.Microsoft.com]
Sent: Tuesday, August 29, 2000 11:13 AM
To: Gregor Karlinger; merlin; w3c-ietf-xmldsig@w3.org
Subject: RE: XMLDSIG RSA signatures



The reason that I added this as a MAY is because many toolkits
automatically pre-pend that OID in an RSA signature. 

--Barb 

-----Original Message----- 
From: Gregor Karlinger [ mailto:gregor.karlinger@iaik.at
<mailto:gregor.karlinger@iaik.at> ] 
Sent: Tuesday, August 29, 2000 7:02 AM 
To: merlin; w3c-ietf-xmldsig@w3.org 
Subject: AW: XMLDSIG RSA signatures 


Hi all, 

I agree with Merlin, providing the option to wrap the RSA signature
octets 
into 
a ASN.1 structure, however it looks like 

  * has no benefits , 
  * adds options which result in a more complicated verification
process, 
  * is confusing (I had to read the text in 6.4.2 some times to get it).


Therefore I also vote to kick this option out. 

Regards, Gregor 
--------------------------------------------------------------- 
Gregor Karlinger 
mailto://gregor.karlinger@iaik.at <mailto://gregor.karlinger@iaik.at>  
http://www.iaik.at <http://www.iaik.at>  
Phone +43 316 873 5541 
Institute for Applied Information Processing and Communications 
Austria 
--------------------------------------------------------------- 


> Hi, 
> 
> In 6.4.2, regarding RSA signatures, the following wording exists: 
> 
>   A signature MAY contain a pre-pended algorithm object identifier, 
>   but the availability of an ASN.1 parser and recognition of OIDs is 
>   not required of a signature verifier. 
> 
> Does this mean that a signature may be (before base 64 encoding): 
> 
>   SEQUENCE { SEQUENCE { OID . NULL } . BIT_STRING { SIGNATURE_VALUE }
} 
> or: 
>   SEQUENCE { OID . NULL } . BIT_STRING { SIGNATURE_VALUE } 
> or: 
>   SEQUENCE { OID . NULL } . SIGNATURE_VALUE 
> or: 
>   OID . SIGNATURE_VALUE 
> 
> Or, is it suggesting that the OID _within_ the RSA signature 
> (before crypting) is optional? 
> 
> Regardless, I think it adds options and thus confusion and thus 
> deserves, perhaps, to be eliminated.. 
> 
> merlin 
> 
> 
>

Received on Tuesday, 29 August 2000 12:21:23 UTC