OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] md5sum / sha1sum for XML?

[ Lists Home | Date Index | Thread Index ]

> With a signature, both you and the receiver can perform a 
> subsequent test that the signature and file still match up.  Of course, 
> if the signature is also with the original data, and that's your only 
> copy, then someone could replace the signature too.

There are actually two parts to checking a signature -- verifying that the 
signature is correct, and validating the identity of the signer.  An 
adversary replacing the signature can pass the first test, but won't pass 
the second.

> Even if not, you or 
> the receiver could conceivably  maliciously replace both the file and 
> the signature, thus creating an uncertainty about whose copy is 

If the signature is using something like RSA, then not really.  While the 
sender can create a new signed document, it will be harder for them to 
repudiate that they signed the first one. 
SOA Appliances
Application Integration Middleware


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS