Is hashing a digital signature for quick (but incomplete) validation a known and/or acceptable practice?
Let's say that there's a known digital signature issued by a trusted CA.
Normally, digital signatures need to be evaluated: checked if they are expired, revoked, if there's a problem in the chain of trust. However, if these aspects are a given, is hashing a digital signature for quick (but incomplete) validation a known and/or acceptable practice?
To give applicable examples, I can think of 2 contexts where this scenario may apply:
(Theoretical) Low-power IoT host without access to CRL AND with performance constraints, trusts some 'master' host that may fully and properly validate a digital signature. In this scenario, IoT host only needs to validate integrity of digital signature used, achievable by hashing both digital signatures and validating that the output is equal.
(Practical) Someone uses SSH to configure a remote system that takes a digital signature or even a public key for input. That digital signature/public key was simply uploaded to that remote host, either directly or through a third-party. Since SSH connection (without getting into SSH tunneling) is generally text-based, in practice, visually validating that digital signature/public key can be difficult in a small terminal window,
As such, hashing the same piece of information on both hosts can be an easy way to work around it.
Anyway, these scenarios work in my mind, but I wonder if they were ever applied in practice. To keep my question focused, I wonder if:
- Are there any systems that, given their scope, only validate digital signatures' integrity, but not digital signatures themselves?
- Is there any evidence that hashing a digital signature for quick (but incomplete) sanity check is a known practice?
