OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] md5sum / sha1sum for XML?

[ Lists Home | Date Index | Thread Index ]

> btw, if you are worried about integrity, then you need to transmit the
> md5sum/sha1sum outside of the payload. We are using our own protocol so
> it is easy for doing it...

Or you sign the data.  Now the only thing the receipient has to do is have 
out-of-band knowledge about either the certificate doing the signing, or 
the CA that generates the signing certificate(s).  Both of these are 
examples of indirection.  With out-of-band XXXsum, you have to "securely" 
convey that for every payload; with a certificate, you only have to do 
that when the certificate changes, the one you're seeing expires, or when 
you think it might be compromised; with a CA certificate, you can have 
multiple signers and/or renewal of existing signers.

Each level of indirection reduces the amount of work you have to do 
per-message, but increases the risk of exposure if something goes wrong 
(such as an adversary getting access to a private key).  Sometimes the 
choice is easy -- an authoritative website can easily publish a list of 
digests for various releases -- and sometimes the tradeoffs are harder to 


SOA Appliances
Application Integration Middleware


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS