There are some security problems with that approach. In effect, you're asking the client to sign a hash on something the client has not seen.
Yes, ok, you are right, this thing is very very important, In the reality, the user either see the doc in a frame when he go to sign or he can download or see it when he wants...
But he must trust the server that the hash received from the server is the hash for the document thus downloaded/displayed. The server could still falsify.
So, you could substitute the hash for a document in which the client promises to give you all his money and assets, and the client would sign it. Not a good idea.
Yes, but you can do this with the sign in 1 step too, this problem is in the sign tool no in the kind of sign ;).
?
If you supply tools to the user to download the sign, the document and verify all when he wants, this problems goes away...
Thank you very much Nelson for your help i think i cant encrypt in the applet... i will sign the attributes...
good luck.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
