digitally signing contracts

Werner Koch wk at
Mon Oct 31 18:47:58 CET 2011

On Mon, 31 Oct 2011 16:40, melvincarvalho at said:


Let me quote Peter Gutmann's take on this:

  This writeup was motivated by the following exchange on a mailing list:
    >>I have some questions related to XML-Dsig:
    >Argghh!! Run away!
    A near-universal reaction.
  So why is "Run away!" a near-universal reaction to XML-Dsig (and XML security
  in general)?  Because it doesn't work, that's why.  The problem with XML
  security can be traced back to two fundamental causes:
    1. XML is an inherently unstable and therefore unsignable data format.
    XML-Dsig attempts to fix this via canonicalistion rules, but they don't
    really work.
    2. The use of an "If it isn't XML, it's crap" design approach that lead to
    the rejection of conventional, proven designs in an attempt to prove that
    XML was more flexible than existing stuff.
  These problems are covered in more detail below, along with a simple solution
  to the problem that's already in use by some XML users.
For the details, see
<> .  IIRC, Amazon
recently ran into a problems due to their use of XML crypto.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list