Re: Passing URLs

["Andreas Kuehne" <kuehne@klup.de>]

Hi Trevor !

> >But acting on his own behalf the DSS server may not have the rights to 
> >access a given URL. So we probably need a 'claimed role' structure in the 
> >request.
> 
> We have a <ClaimedIdentity> element as an Option.  It's a string, to 
> contain "The identity or role asserted by the client. " (at least that's 
> what the requirements doc says).
I thought of the <ClaimedIdentity> as a legal role, e.g. 'chief of purchase', dtmo the untestified equivalent to a attribute certificate.

The 'claimed role' was intended to be a technical role ( e.g. user 'andreask' and a passwords hash value ), enabling the access to some URL ( 'file://home/andreask/foo.doc' ). But no need to use this role as the <ClaimedIdentity>. But we would introduce some more complexity / security issues with such a solution.

> >  And a matching 'CodeErrorType' if the access to the document fails.
> >
> >Much more common to me is a DSS server that has very limited access to the 
> >outside world.
> >  I would like to have a bit in the signature profile saying 'document 
> > required to be within the request'. So the requestor didn't even thinks 
> > about just passing a URL.
> 
> That makes sense.  Or we could go further and remove <DocumentURI> entirely.

Despite I cant't live with the simple hash transport ( a SigG server has to be able to show the signable document on demand ) removing the <DocumentURI> would be OK for me.

I guess it's the easiest way especially for version 1.0 !


Greetings 

Andreas
______________________________________________________________________________
Die Besten ihrer Klasse! WEB.DE FreeMail (1,7) und WEB.DE Club (1,9) -
bei der Stiftung Warentest - ein Doppelsieg! http://f.web.de/?mc=021184