digitally signing contracts
Werner Koch
wk at gnupg.org
Mon Oct 31 18:47:58 CET 2011
On Mon, 31 Oct 2011 16:40, melvincarvalho at gmail.com said:
> http://www.w3.org/TR/xmldsig-core/
Let me quote Peter Gutmann's take on this:
This writeup was motivated by the following exchange on a mailing list:
>>I have some questions related to XML-Dsig:
>
>Argghh!! Run away!
A near-universal reaction.
So why is "Run away!" a near-universal reaction to XML-Dsig (and XML security
in general)? Because it doesn't work, that's why. The problem with XML
security can be traced back to two fundamental causes:
1. XML is an inherently unstable and therefore unsignable data format.
XML-Dsig attempts to fix this via canonicalistion rules, but they don't
really work.
2. The use of an "If it isn't XML, it's crap" design approach that lead to
the rejection of conventional, proven designs in an attempt to prove that
XML was more flexible than existing stuff.
These problems are covered in more detail below, along with a simple solution
to the problem that's already in use by some XML users.
For the details, see
<http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt> . IIRC, Amazon
recently ran into a problems due to their use of XML crypto.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list