- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Wed, 06 Jun 2001 21:04:38 -0400
- To: Saroop Mathur <saroop@xpressent.com>
- cc: w3c-ietf-xmldsig@w3.org
While you typically want to send certificates of some sort along with a signature, why would you always need them with encryption? The recipient can probably recognize if the material is encrypted for them by looking up the public key to see if its one of theirs and if so, they presumably have the private key. There are lots of different circumstances possible. You don't need to send any keyinfo at all. Even if just sending a bare public KeyValue would be unusual, its pretty easy to support and good for testing :-) Donald From: Saroop Mathur <saroop@xpressent.com> Message-ID: <20010606215347.85823.qmail@web10401.mail.yahoo.com> Date: Wed, 6 Jun 2001 14:53:47 -0700 (PDT) To: Donald E Eastlake 3rd <dee3@torque.pothole.com>, w3c-ietf-xmldsig@w3.org In-Reply-To: <3B1E7F95.F31D1C61@torque.pothole.com> >This is somewhat offtopic and may already have been discussed previous. >If so, I apologize. > >What is the value of sending RSA/DSA public keys outside of >certificates? Without certificates, the public keys cannot be trusted. >Unless I am missing something, I would suggest that the XMLDSIG should >discourage implementations from sending public keys without >certificates. Currently, section 4.4.2 section specifies that support >for DSAKeyValue element is REQUIRED. Doesn't this lead to >implementations that are insecure? > >-Saroop > >__________________________________________________ >Do You Yahoo!? >Get personalized email addresses from Yahoo! Mail - only $35 >a year! http://personal.mail.yahoo.com/
Received on Wednesday, 6 June 2001 21:09:16 UTC