[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: md5sum / sha1sum for XML?

• To: "Pete Cordell" <petexmldev@t...>
• Subject: Re: md5sum / sha1sum for XML?
• From: Richard Salz <rsalz@u...>
• Date: Tue, 18 Jul 2006 12:31:38 -0400
• Cc: xml-dev@l...
• In-reply-to: <000a01c6a808$4309ac70$ae00a8c0@RW>

> > I'd like both, hence the need to get them in the right order!
> 
> 
> I think the answer to that is "It depends."  If you don't want the 
person to 
> know who signed it until they've decrypted it (i.e. who signed it is a 
> secret), then sign and then encrypt.  If you need to know who encrypted 
> before you can decrypt it (i.e. to select the right key or maybe just to 

> decide whether to decrypt it or not) then encrypt and then sign.

No, it never really depends.  You should never sign opaque content, you 
should only sign what you and the intended receiver both see (cf 
http://www.w3.org/TR/xmldsig-core/#sec-See in the XML Digital Signature 
spec, and section 5.2.4 of the ABA signature guidelines).

If there's a need to first provide the identity, a security token (such as 
a small signd plaintext) is the way to go.

        /r$

--
SOA Appliances
Application Integration Middleware

• References:
  • Re: md5sum / sha1sum for XML?
    • From: "Pete Cordell" <petexmldev@t...>

• Prev by Date: RE: Why is there little usage of XML on the "visible Web"?
• Next by Date: Re: md5sum / sha1sum for XML?
• Previous by thread: Re: md5sum / sha1sum for XML?
• Next by thread: Re: md5sum / sha1sum for XML?
• Index(es):
  • Date
  • Thread