> Scott> Maybe I don't understand what you mean by "single
> Scott> request". Are you suggesting some kind of real-time
> Scott> submission + hash taking place? That would be a little tricky
> Scott> unless, again, you didn't actually care what it was
> Scott> hashing/signing.
>
> Yes. That's roughly what Josh and I proposed. Trusted party policy for
> what to accept will be a bit tricky as with any non-trivial policy for
> things like CA signing and the like.
> I don't think it is any more tricky than any fully automated policy.
Ok, I understand your proposal now. That is in principle much like "not
hashing the whole document" except that you carve out the exceptions
semantically in the act of hashing the whole thing rather than actually
doing that cryptographically in the hashing step.
It's no doubt feasible, but definitely hasn't been explored much.
-- Scott
|