[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: md5sum / sha1sum for XML?

• To: Mitch Amiano <mitch.amiano@a...>
• Subject: Re: md5sum / sha1sum for XML?
• From: Richard Salz <rsalz@u...>
• Date: Tue, 18 Jul 2006 12:40:33 -0400
• Cc: xml-dev@l...
• In-reply-to: <44B80928.7000908@a...>

> With a signature, both you and the receiver can perform a 
> subsequent test that the signature and file still match up.  Of course, 
> if the signature is also with the original data, and that's your only 
> copy, then someone could replace the signature too.

There are actually two parts to checking a signature -- verifying that the 
signature is correct, and validating the identity of the signer.  An 
adversary replacing the signature can pass the first test, but won't pass 
the second.

> Even if not, you or 
> the receiver could conceivably  maliciously replace both the file and 
> the signature, thus creating an uncertainty about whose copy is 
authentic.

If the signature is using something like RSA, then not really.  While the 
sender can create a new signed document, it will be harder for them to 
repudiate that they signed the first one. 
--
SOA Appliances
Application Integration Middleware

• References:
  • Re: md5sum / sha1sum for XML?
    • From: Mitch Amiano <mitch.amiano@a...>

• Prev by Date: Re: md5sum / sha1sum for XML?
• Next by Date: Re: RE: Why is there little usage of XML on the "visibleWeb"?
• Previous by thread: Re: md5sum / sha1sum for XML?
• Next by thread: XSD Imports with location
• Index(es):
  • Date
  • Thread