[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [dss] Authentication in DSS
At the January 13 teleconference, I raised the question of how requesters will be authenticated to a DSS service. In some digital signature policies, authentication steps occur at two levels, initially to establish the valid identity corresponding to the signer's session and subsequently for individual digital signatures that are to be applied. In a smart card environment, this corresponds to the policy where a second PIN is required to approve a digital signature. If the DSS service relies on an authentication authority (e.g., SAML), the two-authentication policy could be achieved via two separate authentications. Alternatively, the DSS service could manage its own authentication (e.g., accept a PIN) in addition to a SAML assertion from an authentication authority. Key-splitting raises interesting authentication requirements. If the DSS service cryptographically splits its signing key between two servers, then each server needs assurance that the user has been authenticated. If both servers rely on a single authentication authority, however, then compromise of the authentication authority would undermine the benefits of key-splitting. I'd be interested in hearing the group's suggestions on these authentication issues. -- Burt Kaliski RSA Laboratories
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC