On 26/04/12 17:32 PM, helpcrypto helpcrypto wrote:
Are you saying you base64 encode the data to be signed before the signature is
created?
No. Let me show you an example.
Consider you provide this API:
sign(keyId, data)
IMHO, the correct way of invoking wil be:
sign(1,"ZGF0YXRvYmVzaWduZWQ=")
Inseatd of (cause it can end in encoding translation problem)
sign(1,"datatobesigned")
For example, using iso-8859-1 and UTF-8 this string is not the same
"En España el Paragüas es invisíble"
Ah, canonicalisation. You need to figure out a form to preserve this.
but also, this is a component that is not directly connected to signing.
There is an intermediate part, hashing. So the general technique is
more like:
text => canonoicalisation => hash => digsig.
The smart card or other container for private key is typically only
interested in the last step.
Public key as a privacy risk? I don't imagine we will have an address bound the
the public key.
My X509 cert has my name, surname, identity ID...i dont want ANY site,
(except those requiring SSL client authentication like Tax ministry)
have any access to it.
My public key has a unique hash that could (easily) be used to track a
user. I dont want that either.
:)
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
