9616Re: [soapbuilders] Re: Super-Encryption AND Digital Signatures
- Dec 2, 2003Clever idea. Just because I haven't heard of it doesn't mean it's not
known to real cryptographers, of course. :) One of the best lists for
discussing this kind of thing in detail is the cryptography list moderated
by Perry Metzger; email to majordomo@... for details.
Anyhow, your technique provides confidentiality -- only the intended
recipient can see the content. It also provides sender-authentiaction,
since only the sender can encrypt the inner session key. But it doesn't
provide a priori content integrity; that will depend on the content
itself being error-detecting. This is probably okay for XML, since you're
most likely to end up with something that won't parse. But that's
only probablistic and if the data being sent is something like a GIF
or MPEG, you'll probably never know.
I'm curious why a standard dsig/enc combination isn't appropriate?
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
- << Previous post in topic Next post in topic >>