W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2001

RE: DSAKeyValue text

From: Dournaee, Blake <bdournaee@rsasecurity.com>
Date: Thu, 7 Jun 2001 08:55:50 -0700
Message-ID: <E7B6CB80230AD31185AD0008C7EBC4D2DAED8B@exrsa01.rsa.com>
To: "'Saroop Mathur'" <saroop@xpressent.com>, w3c-ietf-xmldsig@w3.org
Saroop,

I think I can answer at least part of your question. 

Certain applications might already have authenticated the sender of the
signature through some other means that is not explicitly part of the
<Signature> element.

In this case the public key can be used to verify the integrity of the data.
It would be inefficient to only allow certificates to be sent - they are
much larger and contain additional information that is redundant if the
sender has already been properly authenticated.

Can anyone out there add to this?

Blake Dournaee
Toolkit Applications Engineer
RSA Security
 
"The only thing I know is that I know nothing" - Socrates
 
 


-----Original Message-----
From: Saroop Mathur [mailto:saroop@xpressent.com]
Sent: Thursday, June 07, 2001 6:49 AM
To: w3c-ietf-xmldsig@w3.org
Subject: Re: DSAKeyValue text


This is somewhat offtopic and may already have been discussed previous.
If so, I apologize.

What is the value of sending RSA/DSA public keys outside of
certificates? Without certificates, the public keys cannot be trusted.
Unless I am missing something, I would suggest that the XMLDSIG should
discourage implementations from sending public keys without
certificates. Currently, section 4.4.2 section specifies that support
for DSAKeyValue element is REQUIRED. Doesn't this lead to
implementations that are insecure?

-Saroop

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
Received on Thursday, 7 June 2001 11:57:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:05 UTC