Re: Digital signatures have a big problem with meaning

2005-06-13 Thread Peter Gutmann
Rich Salz [EMAIL PROTECTED] writes: Peter's shared earlier drafts with me, and we've exchanged email about this. The only complaint that has a factual basis is this: I don't want to have to implement XML processing to do XML Digital Signatures I don't want to have to

Re: Digital signatures have a big problem with meaning

2005-06-13 Thread Rich Salz
I don't want to have to re-implement Apache in order to do an SSL implementation. ... Those analogies aren't apt. XML is a data format, so it's more like I don't want to have to implement ASN1/DER to do S/MIME Which is a nonsensical complaint. Makes sense to me.

Re: Digital signatures have a big problem with meaning

2005-06-08 Thread Peter Gutmann
Ben Laurie [EMAIL PROTECTED] writes: Anne Lynn Wheeler wrote: Peter Gutmann wrote: That cuts both ways though. Since so many systems *do* screw with data (in insignificant ways, e.g. stripping trailing blanks), anyone who does massage data in such a way that any trivial change will be

Re: Digital signatures have a big problem with meaning

2005-06-07 Thread Rich Salz
Peter Gutmann wrote: Yup, see Why XML Security is Broken, http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this. Peter's shared earlier drafts with me, and we've exchanged email about this. The only complaint that has a factual basis is this: I don't want to have to

Re: Digital signatures have a big problem with meaning

2005-06-07 Thread Ben Laurie
Ian G wrote: On Wednesday 01 June 2005 15:07, [EMAIL PROTECTED] wrote: Ian G writes: | In the end, the digital signature was just crypto | candy... On the one hand a digital signature should matter more the bigger the transaction that it protects. On the other hand, the bigger the

Re: Digital signatures have a big problem with meaning

2005-06-07 Thread Ben Laurie
Anne Lynn Wheeler wrote: Peter Gutmann wrote: That cuts both ways though. Since so many systems *do* screw with data (in insignificant ways, e.g. stripping trailing blanks), anyone who does massage data in such a way that any trivial change will be detected is going to be inundated with

Re: Digital signatures have a big problem with meaning

2005-06-06 Thread Anne Lynn Wheeler
Peter Gutmann wrote: Yup, see Why XML Security is Broken, http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this. Mind you ASN.1 is little better, there are rules for deterministic encoding, but so many things get them wrong that experience has shown the only safe way to handle

Re: Digital signatures have a big problem with meaning

2005-06-03 Thread Peter Gutmann
Rich Salz [EMAIL PROTECTED] writes: I think signatures are increasingly being used for technical reasons, not legal. That is, sign and verify just to prove that all the layers of middleware and Internet and general bugaboos didn't screw with it. That cuts both ways though. Since so many

Re: Digital signatures have a big problem with meaning

2005-06-03 Thread Anne Lynn Wheeler
Peter Gutmann wrote: That cuts both ways though. Since so many systems *do* screw with data (in insignificant ways, e.g. stripping trailing blanks), anyone who does massage data in such a way that any trivial change will be detected is going to be inundated with false positives. Just ask any

Re: Digital signatures have a big problem with meaning

2005-06-03 Thread Peter Gutmann
Anne Lynn Wheeler [EMAIL PROTECTED] writes: the problem was that xml didn't have a deterministic definition for encoding fields. Yup, see Why XML Security is Broken, http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this. Mind you ASN.1 is little better, there are rules for

Re: Digital signatures have a big problem with meaning

2005-06-03 Thread John Gilmore
That cuts both ways though. Since so many systems *do* screw with data (in insignificant ways, e.g. stripping trailing blanks), anyone who does massage data in such a way that any trivial change will be detected is going to be inundated with false positives. Just ask any OpenPGP implementor

Re: Digital signatures have a big problem with meaning

2005-06-02 Thread Ian G
On Wednesday 01 June 2005 15:07, [EMAIL PROTECTED] wrote: Ian G writes: | In the end, the digital signature was just crypto | candy... On the one hand a digital signature should matter more the bigger the transaction that it protects. On the other hand, the bigger the transaction the

Re: Digital signatures have a big problem with meaning

2005-06-02 Thread Anne Lynn Wheeler
[EMAIL PROTECTED] wrote: On the one hand a digital signature should matter more the bigger the transaction that it protects. On the other hand, the bigger the transaction the lower the probability that it is between strangers who have no other leverage for recourse. And, of course, proving

Re: Digital signatures have a big problem with meaning

2005-06-02 Thread Rich Salz
On the one hand a digital signature should matter more the bigger the transaction that it protects. On the other hand, the bigger the transaction the lower the probability that it is between strangers who have no other leverage for recourse. I think signatures are increasingly being used for

Digital signatures have a big problem with meaning

2005-06-01 Thread Ian G
On Tuesday 31 May 2005 23:43, Anne Lynn Wheeler wrote: in most business scenarios ... the relying party has previous knowledge and contact with the entity that they are dealing with (making the introduction of PKI digital certificates redundant and superfluous). Yes, this is directly what we

Re: Digital signatures have a big problem with meaning

2005-06-01 Thread dan
Ian G writes: | | In the end, the digital signature was just crypto | candy... | On the one hand a digital signature should matter more the bigger the transaction that it protects. On the other hand, the bigger the transaction the lower the probability that it is between strangers who