[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Signature Gateway Profile
Trevor, Your recommendation for XAdES is sound; and I will include it in the Signature Gateway Profile. In addition, per Burt's suggestion, the profile will explicitly reference the possibility of out-of-band conventions indicated by the signing key. For example, if the Signature Gateway Server validated the manifest, then it signs with key1; otherwise, it signs with key2. I concur with your suggestion for including the Type attribute in the updated signature. Glenn Trevor Perrin <trevp@trevp.net> To: <dss@lists.oasis-open.org> cc: 11/06/2004 03:27 Subject: RE: [dss] Signature Gateway Profile PM At 11:26 AM 11/6/2004 -0500, Glenn.Benson@chase.com wrote: >[...] When the VerifyRequest does not contain a >RequestUpdatedSiganture, the requester communicates with the DSS server for >the purpose of discovering ephemeral information. The requester can use >this information any way that it wishes. However, if the request contains >a RequestUpdatedSignature, the requester obtains a token of consequential >evidence that can be re-validated by other parties. > >Unfortunately, the third party cannot unequivocally determine the intent of >the DSS server. For example, the third party does not know if the DSS >server validated the manifest before producing the signature. The updated signature can contain an indication of signature policy. For example, if the updated signature is an XAdES signature, it can contain a SignaturePolicyIdentifier specifying whether or not Manifest Verification was performed. >[...]I would also like to expand the requester's flexibility when it submits a >request for the signature. The requester should, for example, request a >signature of (i) the original document, (ii) a countersignature of the >original signature, or (iii) both of the above. For (i) and (ii), simply define different URIs for the ReturnUpdatedSignature/@Type attribute. For (iii), right now only one occurrence of ReturnUpdatedSignature can be sent per request (see section 2.7, 4th paragraph). We could change that, and have the returned <UpdatedSignature> elements contain a 'Type' attribute so clients can match outputs with inputs. That seems like a worthwhile feature, what do you (or anyone else) think? Trevor To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]