Re: [dss] Individual reports for verification response

[Andreas Kuehne <kuehne@klup.de>]

Hi Frederick,

I remenber your worries were the first thought that came to my mind. But the security of signatures shouldn't rely on obscurity. And fortunately 
it doesn't !

Dtmo the transparency how a signature gets verified is much more useful for the broad adoption of signatures than the risk of informing an attacker.


Greetings

Andreas Kuehne


Frederick.Hirsch@nokia.com wrote:

> Does this information provide an attacker much information for analysis in a series of
> requests and meaningful responses? I guess this depends on the environment, but could be noted
> as a risk, depending on the detail of the reply.
> 
> regards, Frederick
>  
> Frederick Hirsch
> Nokia Mobile Phones
> 
> 
> 
> 
> 
>>-----Original Message-----
>>From: ext Trevor Perrin [mailto:trevp@trevp.net]
>>Sent: Friday, June 20, 2003 1:44 PM
>>To: Juan Carlos Cruellas; dss@lists.oasis-open.org
>>Subject: Re: [dss] Individual reports for verification response
>>
>>
>>At 01:16 PM 6/20/2003 +0200, Juan Carlos Cruellas wrote:
>>
>>
>>>Trevor,
>>>
>>>What about something like:
>>>"The server should be able to issue individual reports on each
>>>token it has verified (certificates, signatures, etc) when 
>>>
>>the verification
>>
>>>fails."
>>>
>>When it fails, do you want:
>>  - a report only on the thing that failed (this certificate 
>>was revoked)
>>  - also reports on the things that were good (this certificate was 
>>revoked, these were good, these weren't checked yet) 
>>
>>
>>You may leave a Technical Committee at any time by visiting 
>>http://www.oasis-open.org/apps/org/workgroup/dss/members/leave
>>_workgroup.php
>>
>>
>>
> 
> You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
> 
> 
> 
>