[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Representing requestor's identity
At 05:07 PM 4/29/2003 -0400, jmessing wrote: >Where a person signs on behalf of another person or an entity, which is an >essential element of delegated signing, it would be handy to have a >standard way of communicating between applications and entities how the >authorizations were set up and for how long they are intended to last. It >could be critical to certain types of transactions. > >It is related to identification of a signer, but not identical to it. This sounds less like signed attributes the signer would add to a particular signature, and more like policies, validity intervals, and name constraints a CA would add to the DSS Server's certificate. In other words, you wouldn't trust the DSS Server to say "I'm authorized to sign for Bob", you'd trust some higher-level authority to say "the DSS Server is authorized to sign for Bob". So this seems a matter of trust infrastructure that's out of scope for us. Though once I pointed out that if we wanted DSS services to be able to have an X.509 cert that says "I'm authorized to sign for *@acme.com", we could try to convince PKIX that a cert with SubjectName "delegated-signing-authority@acme.com" should have that semantics, or something: http://lists.oasis-open.org/archives/dss/200302/msg00019.html Trevor >---------- Original Message ---------------------------------- >From: Trevor Perrin <trevp@trevp.net> >Date: Tue, 29 Apr 2003 13:08:06 -0700 > > >At 08:03 AM 4/29/2003 -0400, jmessing wrote: > > > >>Apart from some of the identity and authentication issues being debated > >>with regard to SAML, I would like to see a somewhat richer set in the base > >>where for example the corporate signing use case is involved. > >> > >>Besides a signer's identity, could we indicate where the signer is signing > >>on behalf of another person or entity > > > >I think this is implied by the signed attribute for "Requestor Identity". > > > >>--title > > > >of the Requestor? Within a SAML Assertion, it would be easy to give > >further attributes of the Requestor (like his title) with > AttributeStatements. > > > >>--signature authorization (as in legal authority or delegated permission) > >>--duration of signature authorization > > > >not sure what the above mean. Are you sure they have to do with > >Identifying the Requestor, and aren't just other signed attributes that a > >DSS Service might add, but which our protocol doesn't have to take into > >account? > > > >>--individual who granted authorization to sign > > > >I.e. the Requestor Identity? > > > > > >Trevor > > > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]