DiME supports multiple signatures for any item. This enables the use of many different types of public-key networks, from classic trust trees to Web-of-Trust models.

Any signed DiME item, including envelopes, has a signature attached at the end. For envelopes this is indicated by a final colon (‘:’) followed by a signature package, where other items include the signature package after the final dot (‘.’).

Here is an example of a DiME key item signed by three different keys:

Di:KEY.eyJjYXAiOlsiZW5jcnlwdCJdLCJpYXQiOiIyMDIyLTEwLTIyVDEyOjA2OjI0LjI5NTU0M1oiLCJrZXkiOiJTVE4uR3lGSjNpMmNicWRwUXpMRTRIOFJ0NWFZZG1LdUt1QXBNa3Jyd3lYaUJDaDQ3RTZuSCIsInVpZCI6IjM0NzRiY2RhLWQxYjItNGQ5OS04YjU4LWI2MzkxNjI0NmE2ZCJ9.MDFiODQxNmIzMjk0NmJmYi44YmFiOWRkYmJiNmU1Y2NlYTViYjI3MWVlMDY5NmY2YTFhODM5ZWQzOWY5YWNjZjZkZGY1YjZiMWFjNGJlZGNkYjNiMWNiYzY0OTY5NWFjMzM2YTg3Njg2ZTBjNmZhOTViZWI1NzA4ZmVkNDE1MDFiYjE1ZTRjNWI1MTZhNGIwYTo4MTk2YWQ2NmE0ODQwMmFiLmE3ZmI1OTAxMzRiMzVjNGQ5ZjM5OWIwYzRkNzJjNmFhZDA5YmExYjAwOWYwMWVkMTgzMmJlNWIwZTc1ZjNiMzVlYzYzN2JlZGRhMGFlMmUwMjZmMGYxNzVlMmRiYWI3OGQ4OGE5MDFlNThjZGFjYmI0ZDM4ZjU1ZDQzYzIzZTA4OjI2NzA1N2ZkOTdlMjAzZjYuMDQ1MTczYzQ0ODQ1MzcwMTczNGE0NWFjNmI2YzNkZTU3MzNhOGYwMzVhMjg1ZmY5YTYxNzc4N2ZkNWJiYTM4NzM2OTljZDlmMjk5OTU2NzJjYzA3NjA5MDIzY2ZiMGM5ZDg2OTE5ZmM2MGEwZGY5ZTNmYjU2YzRjZTU3OTlhMDI

Copy pasting the Base64 encoded string following the final dot (‘.’) gives:

MDFiODQxNmIzMjk0NmJmYi44YmFiOWRkYmJiNmU1Y2NlYTViYjI3MWVlMDY5NmY2YTFhODM5ZWQzOWY5YWNjZjZkZGY1YjZiMWFjNGJlZGNkYjNiMWNiYzY0OTY5NWFjMzM2YTg3Njg2ZTBjNmZhOTViZWI1NzA4ZmVkNDE1MDFiYjE1ZTRjNWI1MTZhNGIwYTo4MTk2YWQ2NmE0ODQwMmFiLmE3ZmI1OTAxMzRiMzVjNGQ5ZjM5OWIwYzRkNzJjNmFhZDA5YmExYjAwOWYwMWVkMTgzMmJlNWIwZTc1ZjNiMzVlYzYzN2JlZGRhMGFlMmUwMjZmMGYxNzVlMmRiYWI3OGQ4OGE5MDFlNThjZGFjYmI0ZDM4ZjU1ZDQzYzIzZTA4OjI2NzA1N2ZkOTdlMjAzZjYuMDQ1MTczYzQ0ODQ1MzcwMTczNGE0NWFjNmI2YzNkZTU3MzNhOGYwMzVhMjg1ZmY5YTYxNzc4N2ZkNWJiYTM4NzM2OTljZDlmMjk5OTU2NzJjYzA3NjA5MDIzY2ZiMGM5ZDg2OTE5ZmM2MGEwZGY5ZTNmYjU2YzRjZTU3OTlhMDI

By Base64 decoding this string gives the actual signatures, each HEXADECIMAL encoded and separated by a colon (‘:’):

01b8416b32946bfb.8bab9ddbbb6e5ccea5bb271ee0696f6a1a839ed39f9accf6ddf5b6b1ac4bedcdb3b1cbc649695ac336a87686e0c6fa95beb5708fed41501bb15e4c5b516a4b0a:8196ad66a48402ab.a7fb590134b35c4d9f399b0c4d72c6aad09ba1b009f01ed1832be5b0e75f3b35ec637bedda0ae2e026f0f175e2dbab78d88a901e58cdacbb4d38f55d43c23e08:267057fd97e203f6.045173c448453701734a45ac6b6c3de5733a8f035a285ff9a617787fd5bba3873699cd9f29995672cc07609023cfb0c9d86919fc60a0df9e3fb56c4ce5799a02

The basic components of a signature, separated by a dot (‘.’) are:

• Key name – an identifier for the public key that may be used to verify the signature

• Signature – a digital signature encoded using HEXADECIMAL

The key name is generated by the cryptographic suite associated with the key and may thus have different lengths and formats.

Including the name of the key makes it easier to find the key needed to verify the signature and avoids unnecessary verification with keys that does not match the name.

Signature scope

The signature scope defines the set of data that is integrity protected by a digital signature. This scope is different depending if the signature if for an envelope or an individual item. For envelopes the scope is for all items that are attached to it, and for items the scope is only for its own data.

All signatures that may be attached to an item or envelope are always excluded from the scope.

Note that the character separating the item and the signature(s) is not included in the generation and verification of signatures. For envelopes this refers to the final colon (‘:’) and for other items to the final dot (‘.’).

The signature scope is then hashed, creating a thumbprint of the item, which is then used to generate the signature.

This means that in most cases envelopes and items do not need to be decoded for generation and verification of signatures. An exception to this may be when a public key, or key identifier, needs to be reteived from the item iself before verifying a signature.