RE: encryption in XML & in SMIME from Dick Brooks on 2000-08-28 (xml-encryption@w3.org from August 2000)

From: Dick Brooks <dick@8760.com>
Date: Mon, 28 Aug 2000 16:17:58 -0500
To: <stephen.farrell@baltimore.ie>, "Ed Simon" <ed.simon@entrust.com>
Cc: "'Don Davis'" <dtd@world.std.com>, <xml-encryption@w3.org>, <don@MIT.EDU>, "Ralph R. Swick" <swick@w3.org>, <reagle@w3.org>
Message-ID: <NDBBIOBLMLCDOHCHIKMGIEOLDLAA.dick@8760.com>

Stephen,

> One potential XML advantage would be if the signature bits
> and keyInfo could be inside the Encryption...maybe someone
> can figure that transform!
> 

Isn't this essentially what's happening with an encapsulated signature?

Dick Brooks
Group 8760
110 12th Street North
Birmingham, AL 35203
dick@8760.com
205-250-8053
Fax: 205-250-8057
http://www.8760.com/

InsideAgent - Empowering e-commerce solutions 

> -----Original Message-----
> From: xml-encryption-request@w3.org
> [mailto:xml-encryption-request@w3.org]On Behalf Of Stephen Farrell
> Sent: Monday, August 28, 2000 4:08 PM
> To: Ed Simon
> Cc: 'Don Davis'; xml-encryption@w3.org; don@MIT.EDU; Ralph R. Swick;
> reagle@w3.org; xme
> Subject: Re: encryption in XML & in SMIME
> 
> 
> 
> Ed,
> 
> Not enough detail to say, (you didn't show where the signature
> bits are), but assuming they're outside the EMail then...
> 
> <Signature>
> ...
> <EMail>
> <To>Captain Kirk</To>
> <From>Starfleet Command (Dublin)</From>
> <StarDate>2435CE January 19 11:22:33.44 UCT</StarDate>
> <Subject>Romulan invasion fleet</Subject>
> <Message><Encryption>MIIxyz...</Encryption></Message>
> </EMail>
> ...
> </Signature>
> 
> Still says whatever it says, even if the Dublin starfleet folks
> have no idea what it says. This is independent of XML (and any
> other representation) - basically you can steal ciphertext if
> the signature's on the outside.
> 
> One way 'round this is to include the keyInfo inside the 
> plaintext and for the recipient to know to compare that to
> the keyInfo actually used to verify the signature. If they
> match then the encryptor and signer are the same, otherwise
> not.
> 
> One potential XML advantage would be if the signature bits
> and keyInfo could be inside the Encryption...maybe someone
> can figure that transform!
> 
> Stephen.
> 
> 
> -- 
> ____________________________________________________________
> Stephen Farrell         				   
> Baltimore Technologies,   tel: (direct line) +353 1 647 7406
> 61 Fitzwilliam Lane,                    fax: +353 1 647 7499
> Dublin 2.                mailto:stephen.farrell@baltimore.ie
> Ireland                             http://www.baltimore.com

Received on Monday, 28 August 2000 17:21:42 UTC