- From: Amir Herzberg <AMIR@newgenpay.com>
- Date: Mon, 26 Mar 2001 12:51:41 +0100
- To: xml-encryption@w3.org
Hal Finney says, > I understand now what you mean when you say that you can sign the > plaintext and not encrypt the signature while retaining security. > The same technique is used in a MAC, a Message Authentication Code. > It allows for authentication and non-repudiation only to those who > share some secret with the signer. Such techniques are commonly used > in communication protocols like SSL or IPsec. Actually, MAC provides authentication but not non-repudiation. The (standard) technique I suggested provides non-repudiation, where confidentiality may need to be sacrified when presenting the proof. > > However it almost sounds like you are claiming that this form > of signature > can be verified by parties who don't have access to the plaintext. > But clearly a hash-based signature, even if it involves some secret > material, can only be verified if the plaintext which was hashed is > available to the verifier. Two comments: 1. Revealing the plaintext to `prove` is done only as needed and when needed, and possibly only to a somewhat-trusted entity (judge). [No offense intended :-)] 2. The signature can also contain components which are not encrypted. Some entities may be able to authenticate only the non-encrypted parts and the ciphertext. > > You write above that you want to provide non-repudiation > "without exposing > all content to some parties that still need to verify the signature". > Are you saying that you will not expose some of the SIGNED content to > a party which is nevertheless able to verify the signature? > This is what > seems impossible. I hope my clarification above helped to clear things up. Best regards, Amir Herzberg CTO, NewGenPay Inc. Phone: +972-(3)-6958844 x202 Mobile: +972-(54)-985724 Fax: +972-(3)-6954535 See our demo and overview/tutorials on secure e-commerce in http://www.NewGenPay.com
Received on Monday, 26 March 2001 04:48:14 UTC