Re: [dss] Individual reports for verification response

["jmessing" <jmessing@law-on-line.com>]

The protocol should probably support various levels of granularity in reports with the probable end result being that very few users may want access to that level of detail as a practical matter unless and until a signature is challenged, just like a bank keeps records of manual signatures on file to reference in the event a manual signature on a check or draft is challenged, but does not check each signature against the signature card because of the impracticality of the process.

---------- Original Message ----------------------------------
From: Andreas Kuehne <kuehne@klup.de>
Date:  Sat, 05 Jul 2003 12:42:04 +0200

>Hi Frederick,
>
>I remenber your worries were the first thought that came to my mind. But the security of signatures shouldn't rely on obscurity. And fortunately 
>it doesn't !
>
>Dtmo the transparency how a signature gets verified is much more useful for the broad adoption of signatures than the risk of informing an attacker.
>
>
>Greetings
>
>Andreas Kuehne
>
>
>Frederick.Hirsch@nokia.com wrote:
>
>> Does this information provide an attacker much information for analysis in a series of
>> requests and meaningful responses? I guess this depends on the environment, but could be noted
>> as a risk, depending on the detail of the reply.
>> 
>> regards, Frederick
>>  
>> Frederick Hirsch
>> Nokia Mobile Phones
>> 
>> 
>> 
>> 
>> 
>>>-----Original Message-----
>>>From: ext Trevor Perrin [mailto:trevp@trevp.net]
>>>Sent: Friday, June 20, 2003 1:44 PM
>>>To: Juan Carlos Cruellas; dss@lists.oasis-open.org
>>>Subject: Re: [dss] Individual reports for verification response
>>>
>>>
>>>At 01:16 PM 6/20/2003 +0200, Juan Carlos Cruellas wrote:
>>>
>>>
>>>>Trevor,
>>>>
>>>>What about something like:
>>>>"The server should be able to issue individual reports on each
>>>>token it has verified (certificates, signatures, etc) when 
>>>>
>>>the verification
>>>
>>>>fails."
>>>>
>>>When it fails, do you want:
>>>  - a report only on the thing that failed (this certificate 
>>>was revoked)
>>>  - also reports on the things that were good (this certificate was 
>>>revoked, these were good, these weren't checked yet) 
>>>
>>>
>>>You may leave a Technical Committee at any time by visiting 
>>>http://www.oasis-open.org/apps/org/workgroup/dss/members/leave
>>>_workgroup.php
>>>
>>>
>>>
>> 
>> You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
>> 
>> 
>> 
>> 
>
>
>
>You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
>
>