- From: Dournaee, Blake <bdournaee@rsasecurity.com>
- Date: Thu, 7 Jun 2001 08:55:50 -0700
- To: "'Saroop Mathur'" <saroop@xpressent.com>, w3c-ietf-xmldsig@w3.org
Saroop, I think I can answer at least part of your question. Certain applications might already have authenticated the sender of the signature through some other means that is not explicitly part of the <Signature> element. In this case the public key can be used to verify the integrity of the data. It would be inefficient to only allow certificates to be sent - they are much larger and contain additional information that is redundant if the sender has already been properly authenticated. Can anyone out there add to this? Blake Dournaee Toolkit Applications Engineer RSA Security "The only thing I know is that I know nothing" - Socrates -----Original Message----- From: Saroop Mathur [mailto:saroop@xpressent.com] Sent: Thursday, June 07, 2001 6:49 AM To: w3c-ietf-xmldsig@w3.org Subject: Re: DSAKeyValue text This is somewhat offtopic and may already have been discussed previous. If so, I apologize. What is the value of sending RSA/DSA public keys outside of certificates? Without certificates, the public keys cannot be trusted. Unless I am missing something, I would suggest that the XMLDSIG should discourage implementations from sending public keys without certificates. Currently, section 4.4.2 section specifies that support for DSAKeyValue element is REQUIRED. Doesn't this lead to implementations that are insecure? -Saroop __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
Received on Thursday, 7 June 2001 11:57:43 UTC