[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] signed verification response
Yes - this is a reasonable way of providing the same protection as EPM, assuming that there is also time included in the validation response. > -----Original Message----- > From: Trevor Perrin [mailto:trevp@trevp.net] > Sent: 02 July 2003 21:10 > To: dss@lists.oasis-open.org > Subject: [dss] signed verification response > > > > John Messing raised an interesting idea, offlist: > > Perhaps, when calling DSS Verify, the client could request that > the service > sign its response. Then the client could archive the response, > and if the > client was later accused of mistakenly relying on a false signature, or > processing the signature contents incorrectly, the client could > produce the > signed response and claim "don't blame me, blame the DSS service". > > Or the client could attach the response as an unsigned attribute to the > signature, and pass them both along to a 3rd party, in which case this > would be yet another way for A to present 3rd-party evidence of a > signature's validity to B (along with counter-signing, and the > EPM approach > of using a time-stamp, and the approach of adding cert-path > validity info, > like signed OCSP responses). > > Anyways, we could add a "Whether response should be signed" option in > 3.6.2., if people support this. > > Trevor > > > > > You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]