Sat Feb 16 06:01:01 2002
Lee Roberts, at 20:48 -0700 on 2002-02-15, wrote:
> Why is this necessary? What's wrong with PGP/GPG signatures?
xmldsig is not an actual cryptographic protocol, but more of a means of
using helping defining what has been signed in an XML document. The idea
is that an xmldsig document "I'm running a signature over these elements,
but not these, (they're part of form data)". The actual cryptographic
signature comes from OpenPGP, S/MIME, or similar, and inserted into the
Part of the whole mess is the important concept of canonicalization; the
xmldsig-signed documents are canonicalized first before a signature is run
over them, so that the XML document can be transmitted in a variety of
different manners. Once the message needs to be verified, the message is
re-canonicalized, and the signature verified. This helps eliminate the
many problems of whitespace, etc, that have been a thorn in OpenPGP's side
for quite some time regarding textmode signatures.
Frank Tobin http://www.neverending.org/~ftobin/