On Tue, 25 Aug 1998 12:34:31 CDT, Rick Troth said:
I've always wanted a signature/validation scheme that
would intentionally (not in the content, only in the signing logic)
o discard trailing white space
o unify all other white space
(any number of TABs or SPACEs make one instance)
o unify paragraph breaks
(two blank lines, one blank line, same thing)
Unfortunately, the only way to do this and Get It Right is to
define a canonical form that the signature is computed over. The
problem is that you *want* a digital signature to have the property
that changing even a single character invalidates the integrity
check. If this were not so, you could envision ALL sorts of mayhem
caused by one-digit additions/subtractions to an EDI message
(Hmm.. instead of billing me $1198.45, bill me $198.43... ;)
You want to be careful too - consider shipping a digitally signed
table of tab-delimited fields. These would be VERY different:
1134<TAB><TAB>45<TAB>9<CR>
1134<TAB>45<TAB><TAB>9<CR>
but would sign the same.
In any case, I would suggest that cut-and-pasting of a digitally
signed object *should* invalidate the signature. Think about it. ;)
I'm pretty sure that Rick saw my posting a few weeks ago (I think on
the MAILBOOK list) wherein I hand-waved about quoting digitally signed
text - the upshot being that the only way to make it Really Work Right
is to use a multipart/quoted where the original object is included, and
then we use a markup language of tags similar in form to
<start-octet-in-original><length quoted>Annotation<end>
and then possibly signing that as well.
Hey, it's just a straw-man.. COmments? ;)
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
pgpP82TLlA2MV.pgp
Description: PGP signature