[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Representing requestor's identity (As a signed attribute ofsignature)
I am starting to understand where you are coming from. However, I am loath to get into changing the CMS structure, even if it is by an extension. > -----Original Message----- > From: Trevor Perrin [mailto:trevp@trevp.net] > Sent: 29 April 2003 19:21 > To: Nick Pope; dss@lists.oasis-open.org > Subject: RE: [dss] Representing requestor's identity (As a signed > attribute ofsignature) > > > At 10:27 AM 4/29/2003 +0100, Nick Pope wrote: > > >Trevor, > > > >I am very confused over what you are suggesting. > > > >The DSS structure is in XML. If we have a CMS signature it will > be carried > >within a subcomponent of this XML. The information about > requestor needs to > >be visible as part of the XML syntax. > > Sorry, I guess I'm confusing everyone. I renamed the subject. I was > talking about how to identify the requestor as a signed attribute of a > DSS-produced signature. > > This is necessary *IFF* the DSS is signing with a key that is not > intrinsically associated with the requestor, but wants the > relying party to > know who the requestor was: > - If the DSS has the requestor's private key on file and signs > with that, > and includes the requestor's cert in the dsig:KeyInfo, then adding a > Requestor Identity signed attribute is not necessary. > - If the DSS signs to indicate "I, as a corporation, approve this > document" or something, then adding a Requestor Identify signed attribute > may not be necessary. > > > >CMS only carries GeneralName within some of the certificate > extensions. It > >does not include GeneralName in any other part of the structure! Are you > >suggesting that we start re-defining CMS? > > I'm suggesting we add a GeneralName as a CMS signed attribute. > This isn't > really re-defining CMS, but it is augmenting it.. probably we > should liase > with ietf-smime in some way. > > > >I strongly suggest that we carry the SAML structure when this is > used as a > >method of authenticating / authorising the requestor. > > I was suggesting that when the DSS wants to not only identify the > requestor, but give facts about the requestor's authentication > (whether it > was through Kerberos, Biometric, a password, whatever), then the > DSS could > add a SAML Assertion (in place of, or in conjunction with) the simpler > "name syntax" that just represents the requestor's identity. > > Trevor > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]