RE: support for signing plaintext and ciphertext from Amir Herzberg on 2001-05-15 (xml-encryption@w3.org from May 2001)

From: Amir Herzberg <AMIR@newgenpay.com>
Date: Tue, 15 May 2001 09:48:49 +0300
To: "'Joseph M. Reagle Jr.'" <reagle@w3.org>
Cc: "Xml Encrypt (E-mail)" <xml-encryption@w3.org>
Message-ID: <078EE8822DCFD411AAA1000629D56ADC0B7B8C@IMP01>

Joe, 

Your note below reflects my meaning very well. One point to add is that the
signature allows non-repudiation for the plaintext, as well as validation of
the rest of the signature. Namely, 

-- A recipient with the decryption key can validate that the entire message
(including the  encrypted part) was signed 
-- A recipient without the decryption key can only validate the
non-encrypted parts of the message. 

Best regards, 
Amir Herzberg
CTO, NewGenPay Inc.  

See demo and lectures/overviews/tutorials on crypto-security for mobile,
e-commerce, etc. in http://www.newgenpay.com/mpay/course/course.html

> -----Original Message-----
> From: Joseph M. Reagle Jr. [mailto:reagle@w3.org]
> Sent: Monday, May 14, 2001 9:42 PM
> To: Amir Herzberg
> Cc: Xml Encrypt (E-mail)
> Subject: Re: support for signing plaintext and ciphertext
> 
> 
> At 17:48 5/1/2001 +0300, Amir Herzberg wrote:
> >Following our discussion on requirements, I'll like now to 
> request adding
> >support to allow signing of encrypted data. This is by allowing the
> >following new tag in <EncryptedData>:
> >
> >    <HashOfRandomized>
> 
> Amir,
> 
> I'm going to try to restate your proposal using an explicit 
> scenario to make 
> sure I understand it before commenting. Does this capture the gist?
> 
> Given some Structure:
> 
>     <foo>
>        <bar1/>
>        <bar2/>
>        <bar3/>
>        <bar4/>
>     </foo>
> 
> Knowing you want to sign the plaintext version above, as well as
> *subsequently* encrypt element <bar2> without revailing info about the
> plaintext, you include <HashOfRandomized/> which is a has of 
> <bar2> with
> some random data thrown in for entropy if necessary.
> 
>     <foo>
>        <bar1/>
>        <EncryptedData>
>           <HashOfRandomized/>
>           ...
>        </EncryptedData>
>        <bar3/>
>        <bar4/>
>     </foo>
> 
> To sign it
> 
>     <Signature>
>        ...
>        <Reference URI="#eg1">
>        <Transform Algorithm="&enc;#Replace-with-HashOfRandomized">
>        ...
>        <Object Id="eg1">
>           <foo>
>              <bar1/>
>              <EncryptedData>
>                 <HashOfRandomized/>
>                 ...
>              </EncryptedData>
>              <bar3/>
>              <bar4/>
>           </foo>
>        </Object>
>     </Signature>
> 
> Consequently, the signature reveals no data about the plain 
> text secured
> by EncryptedData. Also, it has the other feature that one can 
> change the
> actual EncryptedData (perhaps it's encryption or key) without
> invalidating the signature.
> 
> 
> __
> Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
> W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
>

Received on Tuesday, 15 May 2001 02:45:23 UTC