- From: Joseph Reagle <reagle@w3.org>
- Date: Fri, 27 Sep 2002 10:13:53 -0400
- To: wap_monster@yahoo.com
- Cc: XML Signature <w3c-ietf-xmldsig@w3.org>
Hi Bilal, In [1] you state, "When a user wants to sign an XML document, there is a two step procedure. First, the user digests the XML file to be signed and produces a digest value. Secondly, the user signs both the XML message and the digest with the user's private key." Actually, the user creates a manifest (i.e., SignedInfo) of references to the objects being secured and their digest values. This manifest itself is then digested and cryptographically signed. The first digest captures the "fingerprint" of the files being secured. The second digest is over the first set (and retains their import) but also includes security information (such as the signature algorithm). This value is then bound to a private key via a cryptographic signature algorithm. The two important points here are that: 1. The two step: digesting the digest values is an easy way to collectively process a collection of resources. 2. A cryptographic signature is a computionally expensive procedure that binds some data with a private key. Applying this procedure to the data would be expensive and unnecessary. For the purposes of signature, I can "sign" the data's digest value just as well. [1] http://www.xml.com/pub/a/2002/09/18/c14n.html -- *Note: I will be traveling and attending meetings Oct 2/3 in California; and Oct 5-15 in Australia. I will not be very responsive during this period; I will fully respond to any email as soon as possible after my return. Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Friday, 27 September 2002 10:13:56 UTC