Collaborate Disseminate
We are looking to introduce signing of commits into our company.
Currently we are leaning towards using GPG kays, but we can consider SSH if what we want cannot be achieved with GPG.
We are using a private Gitlab instance.
What we need:
We… Continue reading Managing signed commits as an organization
Signing XML file with XAdES extension provides the X509 certificate.
What is the security point if the certificate is given? Anyone can tamper the data with its own certificate, right?
I used to work with certificate ids and have to reach … Continue reading How XAdES protects against tampering if the certificate is embedded?
In RSA signatures, Alice signs the message using her private key, and Bob verifies the message using Alice’s public key.
If an attacker has the signed encrypted message, then can they also verify the message using Alice’s public key? If ye… Continue reading Digital Signatures [closed]
We are planning on implementing encryption or digital signatures using any of the available classes provided by the Java Cryptography Architecture (e.g. KeyPair, MessageDigest, Cipher, KeyStore, Certificate, and Signature JCA APIs.).
We ha… Continue reading Java Cryptography classes – program agnostic usage
Our web application issues governmental documents for our users. Every one of those documents needs to be signed with a private key. However, because our users find it cumbersome to point their browser to their key file every time they wan… Continue reading My web application needs to have my users’ private keys to sign documents on their behalf. How do I handle that?
In this Help Net Security video, David King, Director of Innovation at GlobalSign, discusses document signing. Digital signatures utilize advanced cryptographic technology to provide the highest level of security for electronic signatures, surpassing a… Continue reading What CISOs need to understand about document signing
In absence of better solutions, is the nonce is an OpenID Connect ID Token usable to serve as digital signature. The process would be as follows:
A hash is created from the to-be-signed document/transaction.
This hash is then used as the … Continue reading OIDC ID Token nonce as "poor mans digital signature"
Is this how X509 certificates are verified to be valid?
The receiver receives the certificate
Look at the issuer of the cert, and find the public key of that CA (its hardcoded in the application or the OS)
Decrypt the signature using the … Continue reading Over what fields is the X509 hash computed over? [duplicate]
Is this how X509 certificates are verified to be valid?
The receiver receives the certificate
Look at the issuer of the cert, and find the public key of that CA (its hardcoded in the application or the OS)
Decrypt the signature using the … Continue reading Over what fields is the X509 hash computed over? [duplicate]
I am developing an open source project(PKDSA) that uses ED25519 and ED448. My purpose of this project was to help others to enable user-secretless based passwordless authentication.
There’re a lot of questions but I will ask them one after… Continue reading What could be the correct and secure ways to store and manage public keys?