Re: Signing and Encryption

----- Original Message -----
From: "Rich Salz" <rsalz@caveosystems.com>
To: "Joseph Ashwood" <jashwood@arcot.com>
Cc: "meadowsj" <meadowsj@nobs.ca.boeing.com>; <xml-encryption@w3.org>
> Most auctions work this way, don't they? In other words, an online
> market would just record bids and not disclose the buyer until the end.
But already in the physical world that is seperated, the bid amount is
seperated from the authentication. This would be a very good example of
where a detached signature would be useful. Regardless Franklin came up with
a good reference for this usefulness, fair exchange hadn't occured to me.

Now I guess the next question would be can the fair exchange (or a varient)
be performed with detached signatures at least as effectively as with
attached signatures. If you read the article it also gives possibilities for
when the opposite may be desirable, partial contractless verification (PSS
actually makes use of this in the top bit).

So to recap, I withdraw my position that we need not concern ourselves with
the order of signing and encryption (specifically because of contract
signing issues). And unfortunately this means this will be more difficult.
Maybe it would be most efficient to create a seperate wrapper for each of
these cases:
<exposedSignature> the encrypted data is signed below with the signature in
the clear
<hiddenSignature> the data within is signed, the signature is encrypted
<signThenEncrypt> the data within was signed before encrypting, the data is
encrypted
<encryptThenSign> the data was encrypted then signed, this is a dangerous
action

With the possibility of having more options if they are ever needed. It may
also be necessary to build markings at a later date that specify the various
methods mentioned on http://www.acm.org/crossroads/xrds7-1/contract.html (as
noted by Franklin).
                    Joe (Ashwood)

Received on Monday, 29 January 2001 19:08:07 UTC