Digital signature: what to sign?
We would like to digitally sign the certificate. An XML file can be easily generated for each candidate.
Should we store it publicly and just reference the file via URL?
- We must guarantee stability for the URL if we want to use them.
- We could make the statement very compact by
xi:include
ing the course tags. - We should obfuscate personal data if they're stored publicly.
Should we deliver it together with the signature? This sounds more viable, but opens new questions.
- The payload would now consist of XML + signature. Can we fit it in a QR code?
- XML is very tolerant towards e.g. whitespace, signing not so much. Can we "canonically" transform/compactify an XML before feeding it to the hash, in such a way that whomever has an XML representing that data can canonically transform it and verify the signature? Otherwise we're back at storing it.