requirements 3.3.2 Requestor Identity

[<Frederick.Hirsch@nokia.com>]

Do the following statements capture the intent of the requestor identity section correctly?

1. The requestor identity is a core schema definition that could be used in a signature as a signature property, or could be conveyed in a request or response protocol message.

2 It includes information to identify the requestor/signer, such as a name and perhaps additional information such as organization, title, organizational role allowing it to be meaningful for the signing under consideration.

3. Authentication of the requestor for a request protocol message is independent, and could be by a variety of means, such as SSL/TLS client cert, SOAP Message Security token, or others.

4. There is no guarantee based on the requestor identity element itself that the identity stated in the requestor identity matches the authenticated identity for a protocol request that conveys it. (e.g. the name might be a full name, but a cert has a DN, or the stated requestor identity and the authenticated protocol requestor might be two different entities.)  

5. The signing server is responsible for ensuring the appropriate match of authentication of a request to the contents of the requestor identity. When this is done then the server may incorporate an authentication context element or certificate into the requestor identity element.

If this is correct, perhaps we need to add a statement to 3.3.2 saying that the signing server is responsible for adding authentication context, certificate or other authentication related information to the requestor identity element when appropriate authentication related to that identity has been performed for the transaction in question.

Am I correct in rephrasing what the section says?

I think this is another case where we say something about server processing rules.

regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones