W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2001

Re: DSAKeyValue text

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Wed, 06 Jun 2001 21:04:38 -0400
Message-Id: <200106070104.VAA0000042229@torque.pothole.com>
To: Saroop Mathur <saroop@xpressent.com>
cc: w3c-ietf-xmldsig@w3.org

While you typically want to send certificates of some sort along with
a signature, why would you always need them with encryption? The
recipient can probably recognize if the material is encrypted for them
by looking up the public key to see if its one of theirs and if so,
they presumably have the private key. There are lots of different
circumstances possible. You don't need to send any keyinfo at
all. Even if just sending a bare public KeyValue would be unusual, its
pretty easy to support and good for testing :-)

Donald

From:  Saroop Mathur <saroop@xpressent.com>
Message-ID:  <20010606215347.85823.qmail@web10401.mail.yahoo.com>
Date:  Wed, 6 Jun 2001 14:53:47 -0700 (PDT)
To:  Donald E Eastlake 3rd <dee3@torque.pothole.com>, w3c-ietf-xmldsig@w3.org
In-Reply-To:  <3B1E7F95.F31D1C61@torque.pothole.com>

>This is somewhat offtopic and may already have been discussed previous.
>If so, I apologize.
>
>What is the value of sending RSA/DSA public keys outside of
>certificates? Without certificates, the public keys cannot be trusted.
>Unless I am missing something, I would suggest that the XMLDSIG should
>discourage implementations from sending public keys without
>certificates. Currently, section 4.4.2 section specifies that support
>for DSAKeyValue element is REQUIRED. Doesn't this lead to
>implementations that are insecure?
>
>-Saroop
>
>__________________________________________________
>Do You Yahoo!?
>Get personalized email addresses from Yahoo! Mail - only $35 
>a year!  http://personal.mail.yahoo.com/
Received on Wednesday, 6 June 2001 21:09:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:05 UTC