On Tue, 25 Aug 1998 12:34:31 CDT, Rick Troth said: > I've always wanted a signature/validation scheme that > would intentionally (not in the content, only in the signing logic) > > o discard trailing white space > > o unify all other white space > (any number of TABs or SPACEs make one instance) > > o unify paragraph breaks > (two blank lines, one blank line, same thing) Unfortunately, the only way to do this and Get It Right is to define a canonical form that the signature is computed over. The problem is that you *want* a digital signature to have the property that changing even a single character invalidates the integrity check. If this were not so, you could envision ALL sorts of mayhem caused by one-digit additions/subtractions to an EDI message (Hmm.. instead of billing me $1198.45, bill me $198.43... ;) You want to be careful too - consider shipping a digitally signed table of tab-delimited fields. These would be VERY different: 1134<TAB><TAB>45<TAB>9<CR> 1134<TAB>45<TAB><TAB>9<CR> but would sign the same. In any case, I would suggest that cut-and-pasting of a digitally signed object *should* invalidate the signature. Think about it. ;) I'm pretty sure that Rick saw my posting a few weeks ago (I think on the MAILBOOK list) wherein I hand-waved about quoting digitally signed text - the upshot being that the only way to make it Really Work Right is to use a multipart/quoted where the original object is included, and then we use a markup language of tags similar in form to <start-octet-in-original><length quoted>Annotation<end> and then possibly signing that as well. Hey, it's just a straw-man.. COmments? ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
pgp00019.pgp
Description: PGP signature