Rich Salz [EMAIL PROTECTED] writes:
Peter's shared earlier drafts with me, and we've exchanged email about this.
The only complaint that has a factual basis is this:
I don't want to have to implement XML processing to do
XML Digital Signatures
I don't want to have to
I don't want to have to re-implement Apache in order to do
an SSL implementation. ...
Those analogies aren't apt. XML is a data format, so it's more like
I don't want to have to implement ASN1/DER to do S/MIME
Which is a nonsensical complaint.
Makes sense to me.
Ben Laurie [EMAIL PROTECTED] writes:
Anne Lynn Wheeler wrote:
Peter Gutmann wrote:
That cuts both ways though. Since so many systems *do* screw with
data (in
insignificant ways, e.g. stripping trailing blanks), anyone who does
massage
data in such a way that any trivial change will be
Peter Gutmann wrote:
Yup, see Why XML Security is Broken,
http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this.
Peter's shared earlier drafts with me, and we've exchanged email about this.
The only complaint that has a factual basis is this:
I don't want to have to
Ian G wrote:
On Wednesday 01 June 2005 15:07, [EMAIL PROTECTED] wrote:
Ian G writes:
| In the end, the digital signature was just crypto
| candy...
On the one hand a digital signature should matter more
the bigger the transaction that it protects. On the
other hand, the bigger the
Anne Lynn Wheeler wrote:
Peter Gutmann wrote:
That cuts both ways though. Since so many systems *do* screw with
data (in
insignificant ways, e.g. stripping trailing blanks), anyone who does
massage
data in such a way that any trivial change will be detected is going
to be
inundated with
Peter Gutmann wrote:
Yup, see Why XML Security is Broken,
http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this. Mind
you ASN.1 is little better, there are rules for deterministic encoding, but so
many things get them wrong that experience has shown the only safe way to
handle
Rich Salz [EMAIL PROTECTED] writes:
I think signatures are increasingly being used for technical reasons, not
legal. That is, sign and verify just to prove that all the layers of
middleware and Internet and general bugaboos didn't screw with it.
That cuts both ways though. Since so many
Peter Gutmann wrote:
That cuts both ways though. Since so many systems *do* screw with data (in
insignificant ways, e.g. stripping trailing blanks), anyone who does massage
data in such a way that any trivial change will be detected is going to be
inundated with false positives. Just ask any
Anne Lynn Wheeler [EMAIL PROTECTED] writes:
the problem was that xml didn't have a deterministic definition for encoding
fields.
Yup, see Why XML Security is Broken,
http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this. Mind
you ASN.1 is little better, there are rules for
That cuts both ways though. Since so many systems *do* screw with data (in
insignificant ways, e.g. stripping trailing blanks), anyone who does massage
data in such a way that any trivial change will be detected is going to be
inundated with false positives. Just ask any OpenPGP implementor
On Wednesday 01 June 2005 15:07, [EMAIL PROTECTED] wrote:
Ian G writes:
| In the end, the digital signature was just crypto
| candy...
On the one hand a digital signature should matter more
the bigger the transaction that it protects. On the
other hand, the bigger the transaction the
[EMAIL PROTECTED] wrote:
On the one hand a digital signature should matter more
the bigger the transaction that it protects. On the
other hand, the bigger the transaction the lower the
probability that it is between strangers who have no
other leverage for recourse.
And, of course, proving
On the one hand a digital signature should matter more
the bigger the transaction that it protects. On the
other hand, the bigger the transaction the lower the
probability that it is between strangers who have no
other leverage for recourse.
I think signatures are increasingly being used for
Ian G writes:
|
| In the end, the digital signature was just crypto
| candy...
|
On the one hand a digital signature should matter more
the bigger the transaction that it protects. On the
other hand, the bigger the transaction the lower the
probability that it is between strangers who
15 matches
Mail list logo