OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] md5sum / sha1sum for XML?

[ Lists Home | Date Index | Thread Index ]

----- Original Message ----- 
From: "Dave Pawson" <davep@dpawson.co.uk>
> On Fri, 2006-07-14 at 17:14 -0400, Mitch Amiano wrote:
>> An encrypted file need not be signed at all, and a signed file need not
>> be encrypted.
>> The two things - signing and encrypting - are distinct operations.
> Yes. I'm happy with that.
>> One you do to ensure no one can read the data that shouldn't be reading 
>> it.
>> The other you do to ensure that no one has tampered with data that
>> shouldn't be tampered with, while not necessarily encumbering the
>> ability to read it.
> I'd like both, hence the need to get them in the right order!

I think the answer to that is "It depends."  If you don't want the person to 
know who signed it until they've decrypted it (i.e. who signed it is a 
secret), then sign and then encrypt.  If you need to know who encrypted 
before you can decrypt it (i.e. to select the right key or maybe just to 
decide whether to decrypt it or not) then encrypt and then sign.

My recollection is that cryptographically one scheme is not necessarily 
weaker than the other.


Pete Cordell
Tech-Know-Ware Ltd
                         for XML to C++ data binding visit
                         (or http://www.xml2cpp.com)


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS