# Signature encoding

DiME supports multiple signatures for any item. This enables the use of many different types of public-key networks, from classic trust trees to Web-of-Trust models.

Any signed DiME item, including envelopes, has a signature attached at the end. For envelopes this is indicated by a final colon (‘:’) followed by a signature package, where other items include the signature package after the final dot (‘.’).

Here is an example of a DiME key item signed by three different keys:

{% code overflow="wrap" %}

```
Di:KEY.eyJjYXAiOlsiZW5jcnlwdCJdLCJpYXQiOiIyMDIyLTEwLTIyVDEyOjA2OjI0LjI5NTU0M1oiLCJrZXkiOiJTVE4uR3lGSjNpMmNicWRwUXpMRTRIOFJ0NWFZZG1LdUt1QXBNa3Jyd3lYaUJDaDQ3RTZuSCIsInVpZCI6IjM0NzRiY2RhLWQxYjItNGQ5OS04YjU4LWI2MzkxNjI0NmE2ZCJ9.MDFiODQxNmIzMjk0NmJmYi44YmFiOWRkYmJiNmU1Y2NlYTViYjI3MWVlMDY5NmY2YTFhODM5ZWQzOWY5YWNjZjZkZGY1YjZiMWFjNGJlZGNkYjNiMWNiYzY0OTY5NWFjMzM2YTg3Njg2ZTBjNmZhOTViZWI1NzA4ZmVkNDE1MDFiYjE1ZTRjNWI1MTZhNGIwYTo4MTk2YWQ2NmE0ODQwMmFiLmE3ZmI1OTAxMzRiMzVjNGQ5ZjM5OWIwYzRkNzJjNmFhZDA5YmExYjAwOWYwMWVkMTgzMmJlNWIwZTc1ZjNiMzVlYzYzN2JlZGRhMGFlMmUwMjZmMGYxNzVlMmRiYWI3OGQ4OGE5MDFlNThjZGFjYmI0ZDM4ZjU1ZDQzYzIzZTA4OjI2NzA1N2ZkOTdlMjAzZjYuMDQ1MTczYzQ0ODQ1MzcwMTczNGE0NWFjNmI2YzNkZTU3MzNhOGYwMzVhMjg1ZmY5YTYxNzc4N2ZkNWJiYTM4NzM2OTljZDlmMjk5OTU2NzJjYzA3NjA5MDIzY2ZiMGM5ZDg2OTE5ZmM2MGEwZGY5ZTNmYjU2YzRjZTU3OTlhMDI
```

{% endcode %}

Copy pasting the Base64 encoded string following the final dot (‘.’) gives:

{% code overflow="wrap" %}

```
MDFiODQxNmIzMjk0NmJmYi44YmFiOWRkYmJiNmU1Y2NlYTViYjI3MWVlMDY5NmY2YTFhODM5ZWQzOWY5YWNjZjZkZGY1YjZiMWFjNGJlZGNkYjNiMWNiYzY0OTY5NWFjMzM2YTg3Njg2ZTBjNmZhOTViZWI1NzA4ZmVkNDE1MDFiYjE1ZTRjNWI1MTZhNGIwYTo4MTk2YWQ2NmE0ODQwMmFiLmE3ZmI1OTAxMzRiMzVjNGQ5ZjM5OWIwYzRkNzJjNmFhZDA5YmExYjAwOWYwMWVkMTgzMmJlNWIwZTc1ZjNiMzVlYzYzN2JlZGRhMGFlMmUwMjZmMGYxNzVlMmRiYWI3OGQ4OGE5MDFlNThjZGFjYmI0ZDM4ZjU1ZDQzYzIzZTA4OjI2NzA1N2ZkOTdlMjAzZjYuMDQ1MTczYzQ0ODQ1MzcwMTczNGE0NWFjNmI2YzNkZTU3MzNhOGYwMzVhMjg1ZmY5YTYxNzc4N2ZkNWJiYTM4NzM2OTljZDlmMjk5OTU2NzJjYzA3NjA5MDIzY2ZiMGM5ZDg2OTE5ZmM2MGEwZGY5ZTNmYjU2YzRjZTU3OTlhMDI
```

{% endcode %}

By Base64 decoding this string gives the actual signatures, each HEXADECIMAL encoded and separated by a colon (‘:’):

{% code overflow="wrap" %}

```
01b8416b32946bfb.8bab9ddbbb6e5ccea5bb271ee0696f6a1a839ed39f9accf6ddf5b6b1ac4bedcdb3b1cbc649695ac336a87686e0c6fa95beb5708fed41501bb15e4c5b516a4b0a:8196ad66a48402ab.a7fb590134b35c4d9f399b0c4d72c6aad09ba1b009f01ed1832be5b0e75f3b35ec637bedda0ae2e026f0f175e2dbab78d88a901e58cdacbb4d38f55d43c23e08:267057fd97e203f6.045173c448453701734a45ac6b6c3de5733a8f035a285ff9a617787fd5bba3873699cd9f29995672cc07609023cfb0c9d86919fc60a0df9e3fb56c4ce5799a02
```

{% endcode %}

The basic components of a signature, separated by a dot (‘.’) are:

* Key name – an identifier for the public key that may be used to verify the signature
* Signature – a digital signature encoded using HEXADECIMAL

The key name is generated by the cryptographic suite associated with the key and may thus have different lengths and formats.

Including the name of the key makes it easier to find the key needed to verify the signature and avoids unnecessary verification with keys that does not match the name.

### Signature scope

The signature scope defines the set of data that is integrity protected by a digital signature. This scope is different depending if the signature if for an envelope or an individual item. For envelopes the scope is for all items that are attached to it, and for items the scope is only for its own data.

All signatures that may be attached to an item or envelope are always excluded from the scope.

<figure><img src="https://1678507575-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MgRyVH9R66B2nn90QkQ%2Fuploads%2FVtbROPiYcxlG0SqqU71V%2FEncoding%20-%20Verification%20scope%20-%20item.png?alt=media&#x26;token=2c90b400-2307-426a-a9c8-133b884f599a" alt=""><figcaption><p>Signature verification scope of a DiME item</p></figcaption></figure>

Note that the character separating the item and the signature(s) is not included in the generation and verification of signatures. For envelopes this refers to the final colon (‘:’) and for other items to the final dot (‘.’).

<figure><img src="https://1678507575-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MgRyVH9R66B2nn90QkQ%2Fuploads%2F67lNtxogfrbKkkRiuBNe%2FEncoding%20-%20Verification%20scope%20-%20envelope.png?alt=media&#x26;token=c57bfcd9-37ff-4f14-8697-928ba3e13519" alt=""><figcaption><p>Signature verification scope of a DiME envelope</p></figcaption></figure>

The signature scope is then hashed, creating a thumbprint of the item, which is then used to generate the signature.&#x20;

This means that in most cases envelopes and items do not need to be decoded for generation and verification of signatures. An exception to this may be when a public key, or key identifier, needs to be reteived from the item iself before verifying a signature.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dimeformat.io/encoding/signature-encoding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.