Re: Signing and Encryption from Yongge Wang on 2001-01-26 (xml-encryption@w3.org from January 2001)

From: Yongge Wang <ywang@certicom.com>
Date: Fri, 26 Jan 2001 10:01:46 -0500
To: xml-encryption@w3.org
Message-ID: <852569E0.00521BAE.00@smtpmail.certicom.com>

> I agree that signature needs to be encrypted, but I'm not sure why entire
> signed data also needs to be encrypted.  Encrypting any portion of signed

At least the <SignedInfo> element should be encrypted. that contains the
the hash value, which makes the Dictionary attack possible.

> data will make signature invalid, but to recover the signature, we
> introduce EncryptedReference element.  The element can be used as follows
> (I wrote before that the element may appear within ds:SignaturePropery
> element, but I changed my mind ...).

Received on Friday, 26 January 2001 10:03:06 UTC