Alternate proposal for digital signatures

Steve Allen sla at ucolick.org
Thu Mar 13 09:39:31 PDT 2008 

On Wed 2008-03-12T22:00:47 -0700, Bob Denny hath writ:
> As an aside, does anyone here question the efficacy and/or strength of a 1024
> bit (DSA) signing key and SHA-1 hash? From my perspective, this is more than
> enough for the intended application and the cost/benefit of breaking the key.

Those are enough.  We're not doing international banking or espionage
(although there have been a few documented examples of astronomers
seeking undeserved credit or information...).

> And does RFC 4880[1] specify a system that is worthy of becoming part of a
> VOEvent standard?

Yes, if we don't choose an XML-native solution.

> > There is also the tangle of XML canonicalization.

> And beyond any signature scheme, PGP/GPG or not. This is a tough one... But do
> we really *need* to couple the two together?

It depends on the usage analysis that we really have not done.

Are VOEvent packets always atomic?  Do they never get modified from
the point that they initially leave the first creator?
Do we expect AAVSO members to generate partial versions which are then
further padded out by the AAVSO machinery before it submits them to
the VOEvent pipelines?
Do we expect that a relaying or archiving system will want to insert
any sort of additional unique identifiers or "I saw this" elements?

If there is any modification of the VOEvent itself then the XML scheme
allows for the signatures to remain valid because an agent can rewrite
the Transform Algorithm (in my scheme currently just an XPath which
excludes all Signature elements) without invalidating the Signature
of the material which existed at the point of the Signature.

The alternative is to do all of this archival manipulation externally
to the VOEvent, and that may mean setting up standards and
implementing systems which are not necessarily describable by XML.

It's an engineering tradeoff that's hard to make prior to some
"interop"erational experimenting.

--
Steve Allen                 <sla at ucolick.org>                WGS-84 (GPS)
UCO/Lick Observatory        Natural Sciences II, Room 165    Lat  +36.99855
University of California    Voice: +1 831 459 3046           Lng -122.06015
Santa Cruz, CA 95064        http://www.ucolick.org/~sla/     Hgt +250 m

More information about the voevent mailing list