[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Passing URLs
Hi Trevor ! > >But acting on his own behalf the DSS server may not have the rights to > >access a given URL. So we probably need a 'claimed role' structure in the > >request. > > We have a <ClaimedIdentity> element as an Option. It's a string, to > contain "The identity or role asserted by the client. " (at least that's > what the requirements doc says). I thought of the <ClaimedIdentity> as a legal role, e.g. 'chief of purchase', dtmo the untestified equivalent to a attribute certificate. The 'claimed role' was intended to be a technical role ( e.g. user 'andreask' and a passwords hash value ), enabling the access to some URL ( 'file://home/andreask/foo.doc' ). But no need to use this role as the <ClaimedIdentity>. But we would introduce some more complexity / security issues with such a solution. > > And a matching 'CodeErrorType' if the access to the document fails. > > > >Much more common to me is a DSS server that has very limited access to the > >outside world. > > I would like to have a bit in the signature profile saying 'document > > required to be within the request'. So the requestor didn't even thinks > > about just passing a URL. > > That makes sense. Or we could go further and remove <DocumentURI> entirely. Despite I cant't live with the simple hash transport ( a SigG server has to be able to show the signable document on demand ) removing the <DocumentURI> would be OK for me. I guess it's the easiest way especially for version 1.0 ! Greetings Andreas ______________________________________________________________________________ Die Besten ihrer Klasse! WEB.DE FreeMail (1,7) und WEB.DE Club (1,9) - bei der Stiftung Warentest - ein Doppelsieg! http://f.web.de/?mc=021184
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]