W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2001

RE: Signing and Encryption

From: Frederick J. Hirsch <hirsch@caveosystems.com>
Date: Tue, 23 Jan 2001 10:03:21 -0500
To: "Joseph Ashwood" <jashwood@arcot.com>, <xml-encryption@w3.org>
Message-ID: <NEBBLPMKCKBLFHBJIHPCMEIJCIAA.hirsch@caveosystems.com>
I guess there is a conflict between potential business workflow requirements and
technology requirements.

The business workflow model suggests that a document may be passed around among
parties who arbitrarily sign and/or encrypt portions of the XML - like the
previous example of the DoD signing an element, and then later, independently,
the CIA deciding to encrypt a portion. A user may have reasons for doing these
things without concern for the technology.

On the other hand, from a security technology perspective, there are rules about
combining encryption and signing in a secure manner, which limits what should be
done, or perhaps suggests that additional encryption/signing be performed when

The suggestion that the management of signing and encryption is separate from
the individual signing and encryption standards makes sense - maybe that is
application dependent.

< Frederick

> -----Original Message-----
> From: xml-encryption-request@w3.org
> [mailto:xml-encryption-request@w3.org]On Behalf Of Joseph Ashwood
> Sent: Monday, January 22, 2001 6:17 PM
> To: xml-encryption@w3.org
> Subject: Re: Signing and Encryption
> From: "Frederick J. Hirsch" <hirsch@caveosystems.com>
> > As a result I think we need three pieces of information when signing and
> > encrypting portions of XML:
> > - Signing information (in the Signature elements)
> > - Encryption information (in the EncryptedData and EncryptedKey elements)
> > - Document meta information (regarding the document as a whole and
> interactions)
> >
> > The third item is only needed when the interactions exist and are
> potentially
> > ambiguous.
> I don't see any ambiguous cases. If portions of the document are encrypted
> after the document (or a subset of it) has been signed, the encryption
> itself is an alteration, so the encryption should void the signature until
> the encryption is removed. If the document is encrypted before signing, the
> encrypted data is what has been signed, by decrypting it you should
> invalidate the signature. Whether or not we can unambiguously assign an
> ordering to these is not an issue. The issue is a program one, or rather an
> ambiguous understanding of the requirements of the program, it has been
> shown that encrypting before signing is bad (ref. PKCS #1 v1.0 was broken
> when it was shown that you could alter the data that was signed by changing
> the RSA key for the encryption, and the signature remained valid), by
> forcing the encryption/decryption of data to invalidate the signature we
> enforce this issue, the statement about the encrypted data is "This
> encrypted data has been certified as untampered" if the key is also
> certified then the statement is stronger, however if the key is signed then
> the order of operations is unambiguous, the encryption happened before the
> signing. I believe the (semi-)ambiguous cases should not be addressed,
> perhaps specifically left unaddressed, because the statement that is made is
> by nature ambiguous.
>                         Joe
Received on Tuesday, 23 January 2001 09:56:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:01 UTC