W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2002

Re: Multiple signatures on multiple files

From: David Wall <dwall@Yozons.com>
Date: Mon, 29 Jul 2002 11:54:15 -0700
Message-ID: <028f01c23731$565c2600$5a2b7ad8@expertrade.com>
To: "Christian Geuer-Pollmann" <geuer-pollmann@nue.et-inf.uni-siegen.de>, <w3c-ietf-xmldsig@w3.org>

> Signing "real data", i.e. signing the message directly is not such a good
idea as it opens the algorithm to some attacks, especially if you use plain
RSA (which would be a very bad idea).

True, but a lot of typical signing includes a hash (RSA/DSA with SHA1), but
the SHA1 works against the actual data being signed (in both digital
signature and legal sense).  In XML Signature, there's a two step process of
doing an SHA1 on the actual data, and then digital signing (hash the hash
and encrypt with the private key), so the digital signature is "signing" a
hash, not the original data.  Anyway, I believe it's sound technically, just
wondered if there's anything "odd" from a legal standpoint since the
signature is once removed from the data being signed.

Received on Monday, 29 July 2002 14:54:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:10 UTC