Combining signing and encrypting from hal@finney.org on 2000-11-21 (xml-encryption@w3.org from November 2000) (original) (raw)

David Solo, david.solo@citicorp.com, writes:

At the workshop, I promised to send a couple paragraphs on minimum requirements around handling documents with both encryption and signatures (sorry about the delay, I've been moving and on vacation).

In general, both signature and encryption operations may be performed on an XML document. Depending on the usage case (see below), a signature may be applied to plaintext or ciphertext portions of documents. To verify a signature, the recipient must know whether to decrypt before or after signature verification (possibly differently for different encrypted portions). In order to enable efficient and automated signature validation, a goal of the design should be to allow well-behaved applications to indicate to the verifier/recipient how to unambiguously figure out in which order to perform decryption and signature validation operations (ill-behaved applications may always cause things to break). [Note: the suggestion is to add this last sentence to the requirements document.]

One approach would be, when signing before encrypting, to always encrypt the signature block along with the data being encrypted. This is good for two reasons. First, since the sig can't be verified without decrypting the data, you might as well do this.

Second, if you don't do this, the signature may leak information about the data being encrypted. In particular it allows for guesses at the content of the encrypted data to be confirmed.

Hal Finney PGP Security

Received on Tuesday, 21 November 2000 13:51:43 UTC