The client can use signatures for two purposes: to convince the server that the data is authentic, and/or to convince a third-party that the data* is authentic. In the first case, the "data" might be considered to be the entirety of the message/entry/etc. In the second case, the "data*" might be a subset of the "data". So, one could envision something like
SIG1 = DSIG(Kclient, some_data | data* | some_more_data) SIG2 = DSIG(Kclient, data*) The server may want to use its own signature for what it publishes, so it might publish SIG3 = DSIG(Kserver, modified(some_data, some_more_data)) but it might also publish client_identity, data* and SIG2 so that a third party could validate the authenticity of data* wrt to the client (assuming that the client wants his identity associated with data*). It can be tricky to keep data* and SIG2 in a form that allows a third-party to validate it, and thus, it is probably necessary to keep data* and SIG2 as opaque blobs and let the third-party tackle the problem of verifying that displayed(data*) has some reasonable relationship to data* itself. Hilarie
