Re: md5sum / sha1sum for XML?

To: Mitch Amiano <mitch.amiano@a...>
Subject: Re: md5sum / sha1sum for XML?
From: Dave Pawson <davep@d...>
Date: Sat, 15 Jul 2006 12:20:51 +0100
Cc: Richard Salz <rsalz@u...>, xml-dev@l...
In-reply-to: <44B80928.7000908@a...>
References: <OFFF1B9043.9E169A3B-ON852571AB.001645E6-852571AB.00179B5E@u...> <1152886416.32747.33.camel@marge> <44B7D280.6010703@a...> <1152901489.32747.52.camel@marge> <44B80928.7000908@a...>
Reply-to: davep@d...

Play the video

Hi Mitch.

On Fri, 2006-07-14 at 17:14 -0400, Mitch Amiano wrote:
> An encrypted file need not be signed at all, and a signed file need not 
> be encrypted.
> The two things - signing and encrypting - are distinct operations.
Yes. I'm happy with that.


> One you do to ensure no one can read the data that shouldn't be reading it.
> The other you do to ensure that no one has tampered with data that 
> shouldn't be tampered with, while not necessarily encumbering the 
> ability to read it.

I'd like both, hence the need to get them in the right order!
After finding out that Sun (Solaris?) uses tail +386 rather
than tail -n +386, I've finally managed to install their jwsdp package
(grrr),
so I'm hoping today to have a play with dig-sigs. I'm not even sure
which jar files the crypto stuff is in as yet, but I'll chase it down.



> 
> Now, I'm not a security expert. Someone with more experience in this 
> area may correct me on this, and could speak to the issue a bit more 
> practically.
> 
> But encryption alone is insufficient. One reason is that someone might 
> well encrypt another file and substitute it for your original encrypted 
> package. With a signature, both you and the receiver can perform a 
> subsequent test that the signature and file still match up.  Of course, 
> if the signature is also with the original data, and that's your only 
> copy, then someone could replace the signature too. Even if not, you or 
> the receiver could conceivably  maliciously replace both the file and 
> the signature, thus creating an uncertainty about whose copy is authentic.

For our application I'm moderately confident of such maliciousness being
absent. I'm trying to find a balance between caution and paranoia. 


-- 
Regards, 

Dave Pawson
XSLT + Docbook FAQ
http://www.dpawson.co.uk

Follow-Ups:
- Re: md5sum / sha1sum for XML?
  - From: "Pete Cordell" <petexmldev@t...>

References:
- Re: md5sum / sha1sum for XML?
  - From: Richard Salz <rsalz@u...>
- Re: md5sum / sha1sum for XML?
  - From: Dave Pawson <davep@d...>
- Re: md5sum / sha1sum for XML?
  - From: Mitch Amiano <mitch.amiano@a...>
- Re: md5sum / sha1sum for XML?
  - From: Dave Pawson <davep@d...>
- Re: md5sum / sha1sum for XML?
  - From: Mitch Amiano <mitch.amiano@a...>

Prev by Date: Re: md5sum / sha1sum for XML?
Next by Date: Re: md5sum / sha1sum for XML?
Previous by thread: Re: md5sum / sha1sum for XML?
Next by thread: Re: md5sum / sha1sum for XML?
Index(es):
- Date
- Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >