[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: signed verification response
John Messing raised an interesting idea, offlist: Perhaps, when calling DSS Verify, the client could request that the service sign its response. Then the client could archive the response, and if the client was later accused of mistakenly relying on a false signature, or processing the signature contents incorrectly, the client could produce the signed response and claim "don't blame me, blame the DSS service". Or the client could attach the response as an unsigned attribute to the signature, and pass them both along to a 3rd party, in which case this would be yet another way for A to present 3rd-party evidence of a signature's validity to B (along with counter-signing, and the EPM approach of using a time-stamp, and the approach of adding cert-path validity info, like signed OCSP responses). Anyways, we could add a "Whether response should be signed" option in 3.6.2., if people support this. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]